CVE-2023-6606: Out-of-Bounds Read Vulnerability in the Linux Kernel

A newly discovered out-of-bounds read vulnerability has been found in the Linux Kernel, affecting the function smbCalcSize, located in fs/smb/client/netmisc.c. This critical vulnerability could potentially allow a local attacker to crash the system or leak sensitive internal kernel information.

The vulnerability has been assigned the CVE identifier CVE-2023-6606.

Vulnerability Details

The vulnerability lies within the smbCalcSize function, which is responsible for calculating the buffer size required for the SMB (Server Message Block) transactions. Due to improper validation of user-supplied input, the function can miscalculate the required buffer size, leading to an out-of-bounds read.

Out-of-bounds read occurs when a program reads data from a location outside of its data structure or buffer. This can lead to crashes and the disclosure of internal memory, which may potentially contain sensitive information about the kernel.

Exploit Details

An attacker can exploit this vulnerability if they have local access to the vulnerable system. To exploit this vulnerability, an attacker may send a malicious SMB request to the server with a specially-crafted buffer size, causing the out-of-bounds read in the smbCalcSize function.

The malicious code snippet causing the vulnerability

ssize_t smbCalcSize(const unsigned char *pbuf)
{
    /* ... */
    wordCount = GET_WORD(pbuf);
    pbuf +=2;
    bcc = GET_WORD(pbuf);
    return (ssize_t) (HEADER_SIZE + 2*wordCount + bcc);
}

This code snippet demonstrates the improper validation of the wordCount and bcc values, which can be manipulated by the attacker to cause an out-of-bounds read.

Mitigation

To mitigate this vulnerability, it is recommended to apply the latest security patches provided by your Linux distribution vendor. The specific patch related to this vulnerability can be found at the following link:

Linux Kernel Patch for CVE-2023-6606

Here is the code snippet with the fix applied

ssize_t smbCalcSize(const unsigned char *pbuf)
{
    /* ... */

    wordCount = GET_WORD(pbuf);
    if (wordCount > MAX_WORD_COUNT)
        return -EIO;

    pbuf +=2;
    bcc = GET_WORD(pbuf);
    if (bcc > MAX_BCC)
        return -EIO;

    return (ssize_t) (HEADER_SIZE + 2*wordCount + bcc);
}

In this patched version of the smbCalcSize function, the wordCount and bcc values are properly validated for their limits, preventing out-of-bounds read.

Conclusion

It is crucial to keep your Linux Kernel up-to-date and apply the latest patches as they become available. The CVE-2023-6606 out-of-bounds read vulnerability could have serious implications for systems if left unpatched, and it is essential to protect your infrastructure by applying the necessary fixes.

For more information on this vulnerability and its mitigation, refer to the following resources

1. CVE-2023-6606 - NVD
2. Linux Kernel Patch for CVE-2023-6606

Stay safe and ensure your systems are protected against all known vulnerabilities.

Timeline

Published on: 12/08/2023 17:15:07 UTC
Last modified on: 02/20/2024 15:15:09 UTC