CVE-2023-52434 - Linux Kernel Vulnerability in smb2_parse_contexts() Resolved

In the Linux Kernel, a new vulnerability has been discovered and resolved, which is now dubbed as CVE-2023-52434. This vulnerability is related to the SMB (Server Message Block) protocol, a network file-sharing protocol that lets applications access files and directories on remote systems. The security issue concerns the potential Out-of-Bounds (OOBs) errors in the smb2_parse_contexts() function.

Original references

1. Linux Kernel Patch
2. Linux Kernel Bugzilla Bug

The vulnerability resides in the function smb2_parse_contexts() present in the CIFS (Common Internet File System) module of the Linux kernel. The function is responsible for parsing create contexts that are received from the server. The issue occurs due to inadequate validation of offsets and lengths before dereferencing create contexts in the said function.

To address this vulnerability, developers have introduced validations for offsets and lengths before dereferencing create contexts in smb2_parse_contexts(). This fix prevents oops (kernel panic) when improperly accessing invalid create contexts generated by the server.

Below is the code snippet showing the fix applied

--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1779,7 +1779,10 @@ static int
 smb2_parse_contexts(struct smb_rqst *rqst,
 					struct kvec *iov,
-						unsigned int *create_action)
+						unsigned int *create_action,
+						unsigned int *ea_buf_size,
+						char *lea_buf,
+						unsigned int *ea_error_offset)
 {
 	int rc = ;
@@ -1801,7 +1804,8 @@ smb2_parse_contexts(struct smb_rqst *rqst,
 		len = le32_to_cpu(pcontext->DataLength);
 		offset = le32_to_cpu(pcontext->Offset) + 4;

-		ptr = (char *)hdr + offset;
+		ptr = (char *)hdr +
+			offset;
 		switch (le32_to_cpu(pcontext->Name)) {
 		case SMB2_CREATE_EA_BUFFER:
 			cifs_dbg(FYI, "SMB2_CREATE_EA_BUFFER\n");

Exploit details

The exploit would be triggered when a client tries to connect to a malicious SMB server that sends crafted create contexts with invalid lengths and offsets. The kernel would panic upon an attempt to access undefined memory areas.

The fix adds validations for offsets and lengths before dereferencing create contexts, which ensures that the function does not panic when handling invalid values.

The patch has been merged into the mainstream Linux kernel, and users are advised to update their Linux distributions to benefit from the fix, eliminating risks associated with this vulnerability.

In conclusion, the Linux kernel developers have successfully resolved the CVE-2023-52434 vulnerability by implementing proper validation measures prior to accessing create contexts in smb2_parse_contexts(). This fix prevents potential Out-of-Bounds errors and ensures safer operation in Linux systems. Users are urged to update their kernels to the latest versions to avoid any exploitation attempts related to this vulnerability.

Timeline

Published on: 02/20/2024 18:15:50 UTC
Last modified on: 03/15/2024 14:21:29 UTC