CVE CyberSecurity Database News

CVE-2023-52434 - Out-of-Bounds Read in Linux Kernel’s SMB Client (smb2_parse_contexts) – What Happened and How It’s Fixed

Poster -

CVE-2023-52434 is a security vulnerability that was found and fixed in the Linux kernel’s Microsoft SMB (Server Message Block) client code, specifically in the function smb2_parse_contexts(). This bug allowed a malicious SMB server to cause the Linux client to access memory out of bounds, potentially leading to a kernel crash (Oops), denial of service, or even, in rare cases, privilege escalation.

This post explains the vulnerability, shows you the relevant code, gives a simple walk-through of how it could be exploited, and links to important references.

What is the SMB Client Doing?

When Linux connects to Windows file shares (and other SMB/CIFS-compliant servers), it uses the SMB protocol. Part of this protocol involves passing _“contexts”_—extra bits of information—back and forth. The kernel function smb2_parse_contexts() is responsible for reading and interpreting these optional data chunks.

What Was Wrong?

Prior to the patch, the smb2_parse_contexts() function would rely on lengths and offsets provided by the _server_ to read memory inside a received network packet. Usually, these values are legitimate, but a malicious server could send fake values, causing the client to read before or after the boundaries of the received packet—resulting in an _out-of-bounds_ (OOB) read.

Vulnerable Code Example (Before Patch)

// Context in the packet points here
char *context_ptr = (char *)buffer + le16_to_cpu(context_offset);
// The length is also provided by the server
u16 context_length = le16_to_cpu(context_length_field);

// No bounds checking!
memcpy(local_buf, context_ptr, context_length); 
// If context_offset or context_length are large, this could read outside buffer

If the server sends an _offset_ or _length_ that’s too large, context_ptr or the memory range it points to could go past the buffer. This could crash the kernel (Oops), as shown in the logs you saw:

BUG: unable to handle page fault for address: ffff8881178d8cc3
#PF: supervisor read access in kernel mode
...
Oops: 000 [#1] ... 
...
RIP: 001:smb2_parse_contexts+xa/x3a [cifs]

Fix: Validating Offsets and Lengths

The patch for CVE-2023-52434 added strict checks to make sure that the server-provided values will always be _within_ the bounds of the received network message. The logic is simple: before accessing a context in the message, validate that both its offset and length don’t cause any read to go past the buffer end.

Fixed Code Example (After Patch)

if (context_offset > buffer_size || context_length > buffer_size ||
    context_offset + context_length > buffer_size)
    return -EINVAL; // Don’t process invalid/context

memcpy(local_buf, (char *)buffer + context_offset, context_length);

Who is affected?

- Any Linux system using cifs.ko (CIFS/SMB client kernel module) to mount or interact with SMB shares.

The victim mounts this server using mount -t cifs ... from Linux.

- The server sends a response with a specially crafted “create context” in which the offset and/or length are bogus (too big).
- The kernel reads past its buffer, leading to a kernel Oops (crash), denial of service, or exposure of sensitive kernel data in some situations.

Example Exploitation (high-level)

- Set up a malicious SMB server (there are POCs using Impacket)
- Modify the CREATE response context fields to have large offsets/lengths

Client kernel accesses out-of-bounds memory and crashes

*While no public proof-of-concept (PoC) exploit script is widely available yet, such an exploit would be simple for an attacker with SMB protocol knowledge.*

How to Stay Safe

- Upgrade to a patched kernel. Look for a kernel version with CVE-2023-52434 fixed. This appeared in mainline around Linux v6.7-rc5 and is backported to supported stable kernels. See kernel changelog.
- Be careful which SMB servers you connect to! Do not mount untrusted or unknown SMB shares, especially over open networks.

Original References and Further Reading

- Kernel Patch Commit – “smb: client: fix potential OOBs in smb2_parse_contexts()”
- CVE Entry on MITRE
- SMB2 CREATE Contexts Specification (Microsoft Docs)
- Linux CIFS/SMB Kernel Code

Conclusion

CVE-2023-52434 is a great example of why strict validation of _all_ network-supplied offsets and lengths is crucial at the kernel level. Even minor oversights can have dramatic system stability and security impacts. If you use SMB shares from Linux, check your kernel version and upgrade if your distribution hasn’t patched this bug yet!


#### If you’d like to know more or see a working (safe) demonstration, let us know in the comments or check out the links above!

Timeline

Published on: 02/20/2024 18:15:50 UTC
Last modified on: 03/15/2024 14:21:29 UTC