CVE-2024-26954 - Linux KSMBD slab-out-of-bounds Vulnerability Explained (with Exploit Details)

---

Summary

In February 2024, a critical security vulnerability (CVE-2024-26954) was identified and patched in the Linux kernel's KSMBD (SMB server kernel module). This issue could allow attackers to read out-of-bounds memory areas, potentially exposing sensitive information or destabilizing the system. This post breaks down how the bug works, shows relevant code, discusses the exploit potential, and links to original references for those who want to dive deeper.

What is KSMBD and Why Does This Matter?

KSMBD is the SMB3 file server directly implemented in the Linux kernel. This makes Linux able to share files with Windows and other SMB clients very efficiently. However, running code in the kernel means any security issues can have serious consequences—including denial of service, data leaks, or privilege escalation.

The function smb_strndup_from_utf16() converts file names from SMB packets (UTF-16) to C strings.

- When handling an SMB2_CREATE request, the code reads the NameOffset value from the packet to know where the file name is inside the buffer.
- If the NameOffset is set to a value lower than the actual buffer start, the code will read memory it shouldn't be accessing (slab-out-of-bounds read).
- This is dangerous because attackers can craft packets that make the kernel leak adjacent data or crash.

Here’s a simplified (not literal) extract to demonstrate

/* Vulnerable flow: No lower bound check on NameOffset before reading */
if (req->NameLength > ) {
    char *filename = smb_strndup_from_utf16(buf + req->NameOffset, req->NameLength);
    // ... use filename ...
}

The bug: Suppose NameOffset is less than the correct start offset (Buffer field), buf + req->NameOffset could point before the buffer starts, reading arbitrary kernel memory.

Patch: How Was CVE-2024-26954 Fixed?

The maintainers fixed this by verifying that NameOffset is at least the 'Buffer' offset. Here’s the relevant check added:

/* Proper fix: Clamp NameOffset */
if (req->NameOffset < SMB2_CREATE_REQ_BUFFER_OFFSET) {
    // Invalid NameOffset: abort processing
    return -EINVAL;
}

You can see the patch on the official kernel mailing list:
ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() (patch reference)

Send a crafted SMB2_CREATE request with NameOffset pointing before the start of the buffer.

- The kernel reads memory it shouldn't, possibly leaking kernel data in the response, or more likely, crashing the server (DoS).

Example of a bad request (pseudocode)

# Build a malicious SMB2 CREATE packet
packet = bytearray()
# ... set fields ...
packet[NameOffset_field] = BAD_OFFSET      # deliberately below buffer start
packet[NameLength_field] = 16             # arbitrary
# ... fill rest ...
# Send packet to SMB server

If the server is vulnerable, it may crash or its response may contain bits of kernel memory.

How to Protect Yourself

1. Upgrade your kernel: Fixed in Linux mainline as of March 2024. Get latest patches from your distribution!

References & Further Reading

- Linux Kernel Patch: ksmbd fix slab-out-of-bounds in smb_strndup_from_utf16()
- KSMBD documentation
- CVE Details for CVE-2024-26954

Conclusion

CVE-2024-26954 is a reminder that even subtle boundary checks can have major security impacts, especially in complex network code. If you use filesharing on Linux, make sure you’re patched. Interested researchers can still use fuzzing to check other SMB server code for similar logical mistakes.

Timeline

Published on: 05/01/2024 06:15:11 UTC
Last modified on: 03/03/2025 17:47:59 UTC