| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-41030: ksmbd: discard write access to the directory open |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| ksmbd: discard write access to the directory open |
| |
| may_open() does not allow a directory to be opened with the write access. |
| However, some writing flags set by client result in adding write access |
| on server, making ksmbd incompatible with FUSE file system. Simply, let's |
| discard the write access when opening a directory. |
| |
| list_add corruption. next is NULL. |
| ------------[ cut here ]------------ |
| kernel BUG at lib/list_debug.c:26! |
| pc : __list_add_valid+0x88/0xbc |
| lr : __list_add_valid+0x88/0xbc |
| Call trace: |
| __list_add_valid+0x88/0xbc |
| fuse_finish_open+0x11c/0x170 |
| fuse_open_common+0x284/0x5e8 |
| fuse_dir_open+0x14/0x24 |
| do_dentry_open+0x2a4/0x4e0 |
| dentry_open+0x50/0x80 |
| smb2_open+0xbe4/0x15a4 |
| handle_ksmbd_work+0x478/0x5ec |
| process_one_work+0x1b4/0x448 |
| worker_thread+0x25c/0x430 |
| kthread+0x104/0x1d4 |
| ret_from_fork+0x10/0x20 |
| |
| The Linux kernel CVE team has assigned CVE-2024-41030 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 6.1.100 with commit 66cf853e1c7a2407f15d9f7aaa3e47d61745e361 |
| Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 6.6.41 with commit 9e84b1ba5c98fb5c9f869c85db1d870354613baa |
| Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 6.9.10 with commit 198498b2049c0f11f7670be6974570e02b0cc035 |
| Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 6.10 with commit e2e33caa5dc2eae7bddf88b22ce11ec3d760e5cd |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-41030 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| fs/smb/server/smb2pdu.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/66cf853e1c7a2407f15d9f7aaa3e47d61745e361 |
| https://git.kernel.org/stable/c/9e84b1ba5c98fb5c9f869c85db1d870354613baa |
| https://git.kernel.org/stable/c/198498b2049c0f11f7670be6974570e02b0cc035 |
| https://git.kernel.org/stable/c/e2e33caa5dc2eae7bddf88b22ce11ec3d760e5cd |
