The Linux kernel team has resolved a vulnerability in the ksmbd_nl_policy, which allowed global out-of-bounds (OOB) reads. This vulnerability is similar to a previously reported issue (commit b33fb5b801c6 "net: qualcomm: rmnet: fix global oob in rmnet_policy").
A local fuzzer discovered the issue, which revealed a global OOB read for policy ksmbd_nl_policy. The bug trace can be found here.
The problematic address belonged to the variable
ksmbd_nl_policy+x100/xa80
To fix this issue, the team added a placeholder named __KSMBD_EVENT_MAX and set KSMBD_EVENT_MAX to be its original value minus one. This approach follows the conventions used by other netlink families. Additionally, the team changed two sites that referenced the KSMBD_EVENT_MAX to the correct value.
Here is a sample code snippet showcasing the fix
enum ksmbd_event_type {
KSMBD_EVENT_HEARTBEAT,
KSMBD_EVENT_DEBUG,
/* add new events before this */
__KSMBD_EVENT_MAX,
KSMBD_EVENT_MAX = __KSMBD_EVENT_MAX - 1,
};
static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX+1] = {
[KSMBD_EVENT_HEARTBEAT] = { .type = NLA_STRING, .len = SZ_64 },
[KSMBD_EVENT_DEBUG] = { .type = NLA_STRING, .len = SZ_64 },
};
/* Fix the references in other locations */
void func1() {
if (type > KSMBD_EVENT_MAX) {
/* handle error */
}
}
void func2() {
result = ksmbd_nl_policy[event_type-1];
}
The fix ensures that ksmbd_nl_policy is accessed within bounds, preventing potential crashes and data leaks. Users and developers working on systems using the affected Linux kernel version should update to the latest kernel, which includes this patch, to prevent exploitation of this vulnerability.
For more information and to access the original references, please visit the following links
- Linux Kernel Mailing List - ksmbd: fix global oob in ksmbd_nl_policy
- Linux Kernel Source Code
Timeline
Published on: 03/11/2024 18:15:18 UTC
Last modified on: 03/12/2024 12:40:13 UTC