cve/published/2023/CVE-2023-52434.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52434: smb: client: fix potential OOBs in smb2_parse_contexts()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 smb: client: fix potential OOBs in smb2_parse_contexts()

 Validate offsets and lengths before dereferencing create contexts in
 smb2_parse_contexts().

 This fixes following oops when accessing invalid create contexts from
 server:

   BUG: unable to handle page fault for address: ffff8881178d8cc3
   #PF: supervisor read access in kernel mode
   #PF: error_code(0x0000) - not-present page
   PGD 4a01067 P4D 4a01067 PUD 0
   Oops: 0000 [#1] PREEMPT SMP NOPTI
   CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1
   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
   rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
   RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]
   Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00
   00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7
   7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00
   RSP: 0018:ffffc900007939e0 EFLAGS: 00010216
   RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90
   RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000
   RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000
   R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000
   R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22
   FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)
   knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0
   PKRU: 55555554
   Call Trace:
    <TASK>
    ? __die+0x23/0x70
    ? page_fault_oops+0x181/0x480
    ? search_module_extables+0x19/0x60
    ? srso_alias_return_thunk+0x5/0xfbef5
    ? exc_page_fault+0x1b6/0x1c0
    ? asm_exc_page_fault+0x26/0x30
    ? smb2_parse_contexts+0xa0/0x3a0 [cifs]
    SMB2_open+0x38d/0x5f0 [cifs]
    ? smb2_is_path_accessible+0x138/0x260 [cifs]
    smb2_is_path_accessible+0x138/0x260 [cifs]
    cifs_is_path_remote+0x8d/0x230 [cifs]
    cifs_mount+0x7e/0x350 [cifs]
    cifs_smb3_do_mount+0x128/0x780 [cifs]
    smb3_get_tree+0xd9/0x290 [cifs]
    vfs_get_tree+0x2c/0x100
    ? capable+0x37/0x70
    path_mount+0x2d7/0xb80
    ? srso_alias_return_thunk+0x5/0xfbef5
    ? _raw_spin_unlock_irqrestore+0x44/0x60
    __x64_sys_mount+0x11a/0x150
    do_syscall_64+0x47/0xf0
    entry_SYSCALL_64_after_hwframe+0x6f/0x77
   RIP: 0033:0x7f8737657b1e

 The Linux kernel CVE team has assigned CVE-2023-52434 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.4.277 with commit 6726429c18c62dbf5e96ebbd522f262e016553fb
 	Fixed in 5.10.211 with commit 13fb0fc4917621f3dfa285a27eaf7151d770b5e5
 	Fixed in 5.15.150 with commit 890bc4fac3c0973a49cac35f634579bebba7fe48
 	Fixed in 6.1.79 with commit 1ae3c59355dc9882e09c020afe8ffbd895ad0f29
 	Fixed in 6.6.8 with commit 17a0f64cc02d4972e21c733d9f21d1c512963afa
 	Fixed in 6.7 with commit af1689a9b7701d9907dfc84d2a4b57c4bc907144

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52434
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/smb/client/cached_dir.c
 	fs/smb/client/smb2pdu.c
 	fs/smb/client/smb2proto.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6726429c18c62dbf5e96ebbd522f262e016553fb
 	https://git.kernel.org/stable/c/13fb0fc4917621f3dfa285a27eaf7151d770b5e5
 	https://git.kernel.org/stable/c/890bc4fac3c0973a49cac35f634579bebba7fe48
 	https://git.kernel.org/stable/c/1ae3c59355dc9882e09c020afe8ffbd895ad0f29
 	https://git.kernel.org/stable/c/17a0f64cc02d4972e21c733d9f21d1c512963afa
 	https://git.kernel.org/stable/c/af1689a9b7701d9907dfc84d2a4b57c4bc907144
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52434: smb: client: fix potential OOBs in smb2_parse_contexts()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	smb: client: fix potential OOBs in smb2_parse_contexts()

	Validate offsets and lengths before dereferencing create contexts in
	smb2_parse_contexts().

	This fixes following oops when accessing invalid create contexts from
	server:

	BUG: unable to handle page fault for address: ffff8881178d8cc3
	#PF: supervisor read access in kernel mode
	#PF: error_code(0x0000) - not-present page
	PGD 4a01067 P4D 4a01067 PUD 0
	Oops: 0000 [#1] PREEMPT SMP NOPTI
	CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
	rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
	RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]
	Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00
	00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7
	7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00
	RSP: 0018:ffffc900007939e0 EFLAGS: 00010216
	RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90
	RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000
	RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000
	R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000
	R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22
	FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)
	knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0
	PKRU: 55555554
	Call Trace:
	<TASK>
	? __die+0x23/0x70
	? page_fault_oops+0x181/0x480
	? search_module_extables+0x19/0x60
	? srso_alias_return_thunk+0x5/0xfbef5
	? exc_page_fault+0x1b6/0x1c0
	? asm_exc_page_fault+0x26/0x30
	? smb2_parse_contexts+0xa0/0x3a0 [cifs]
	SMB2_open+0x38d/0x5f0 [cifs]
	? smb2_is_path_accessible+0x138/0x260 [cifs]
	smb2_is_path_accessible+0x138/0x260 [cifs]
	cifs_is_path_remote+0x8d/0x230 [cifs]
	cifs_mount+0x7e/0x350 [cifs]
	cifs_smb3_do_mount+0x128/0x780 [cifs]
	smb3_get_tree+0xd9/0x290 [cifs]
	vfs_get_tree+0x2c/0x100
	? capable+0x37/0x70
	path_mount+0x2d7/0xb80
	? srso_alias_return_thunk+0x5/0xfbef5
	? _raw_spin_unlock_irqrestore+0x44/0x60
	__x64_sys_mount+0x11a/0x150
	do_syscall_64+0x47/0xf0
	entry_SYSCALL_64_after_hwframe+0x6f/0x77
	RIP: 0033:0x7f8737657b1e

	The Linux kernel CVE team has assigned CVE-2023-52434 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.4.277 with commit 6726429c18c62dbf5e96ebbd522f262e016553fb
	Fixed in 5.10.211 with commit 13fb0fc4917621f3dfa285a27eaf7151d770b5e5
	Fixed in 5.15.150 with commit 890bc4fac3c0973a49cac35f634579bebba7fe48
	Fixed in 6.1.79 with commit 1ae3c59355dc9882e09c020afe8ffbd895ad0f29
	Fixed in 6.6.8 with commit 17a0f64cc02d4972e21c733d9f21d1c512963afa
	Fixed in 6.7 with commit af1689a9b7701d9907dfc84d2a4b57c4bc907144

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52434
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/smb/client/cached_dir.c
	fs/smb/client/smb2pdu.c
	fs/smb/client/smb2proto.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6726429c18c62dbf5e96ebbd522f262e016553fb
	https://git.kernel.org/stable/c/13fb0fc4917621f3dfa285a27eaf7151d770b5e5
	https://git.kernel.org/stable/c/890bc4fac3c0973a49cac35f634579bebba7fe48
	https://git.kernel.org/stable/c/1ae3c59355dc9882e09c020afe8ffbd895ad0f29
	https://git.kernel.org/stable/c/17a0f64cc02d4972e21c733d9f21d1c512963afa
	https://git.kernel.org/stable/c/af1689a9b7701d9907dfc84d2a4b57c4bc907144