Bug 1213421 (CVE-2023-38426)

Summary: VUL-0: CVE-2023-38426: kernel-source,kernel-source-azure,kernel-source-rt: fix global-out-of-bounds in smb2_find_context_vals
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jlee, security-team, simonalogan
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372752/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2023-07-18 10:02:11 UTC 
CVE-2023-38426

An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an
out-of-bounds read in smb2_find_context_vals when create_context's name_len is
larger than the tag length.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38426
https://www.cve.org/CVERecord?id=CVE-2023-38426
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.4
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/ksmbd?id=02f76c401d17e409ed45bf7887148fcc22c93c85
Comment 1 Thomas Leroy 2023-07-18 10:02:20 UTC 
Only stable is affected
Comment 2 Thomas Leroy 2023-07-18 10:08:16 UTC 
(In reply to Thomas Leroy from comment #1)
> Only stable is affected

Actually, stable already has the fix
Comment 3 Joey Lee 2023-07-24 05:35:06 UTC 
(In reply to Thomas Leroy from comment #2)
> (In reply to Thomas Leroy from comment #1)
> > Only stable is affected
> 
> Actually, stable already has the fix

Update status:
- stable                [v6.4, already included]


But, the fs/ksmbd be moved to fs/smb/server since v6.4:

From 38c8a9a52082579090e34c033d439ed2cd1a462d Mon Sep 17 00:00:00 2001 [v6.4-rc4~22^2~2]
From: Steve French <stfrench@microsoft.com>
Date: Sun, 21 May 2023 20:46:30 -0500
Subject: smb: move client and server files to common directory
 fs/smb

Move CIFS/SMB3 related client and server files (cifs.ko and ksmbd.ko
and helper modules) to new fs/smb subdirectory:

   fs/cifs --> fs/smb/client
   fs/ksmbd --> fs/smb/server
   fs/smbfs_common --> fs/smb/common

Which means that 15-SP5 or older SLE may still need 02f76c401d patch. I found that 15-SP5 has 38c8a9a52082 but no 02f76c401d.
Comment 4 Joey Lee 2023-07-24 05:37:32 UTC 
Hi Paulo, 

Because this issue relates to samba. Could you please help to handle it? 

If this is not in your area, just reset but assigner to kernel-bugs@suse.de. Kernel Security Sentinel will find other expert.

Thanks a lot!
Comment 5 Joey Lee 2023-07-24 06:15:47 UTC 
(In reply to Joey Lee from comment #3)
> (In reply to Thomas Leroy from comment #2)
> > (In reply to Thomas Leroy from comment #1)
> > > Only stable is affected
> > 
> > Actually, stable already has the fix
> 
> Update status:
> - stable                [v6.4, already included]
> 
> 
> But, the fs/ksmbd be moved to fs/smb/server since v6.4:
> 
> From 38c8a9a52082579090e34c033d439ed2cd1a462d Mon Sep 17 00:00:00 2001
> [v6.4-rc4~22^2~2]
> From: Steve French <stfrench@microsoft.com>
> Date: Sun, 21 May 2023 20:46:30 -0500
> Subject: smb: move client and server files to common directory
>  fs/smb
> 
> Move CIFS/SMB3 related client and server files (cifs.ko and ksmbd.ko
> and helper modules) to new fs/smb subdirectory:
> 
>    fs/cifs --> fs/smb/client
>    fs/ksmbd --> fs/smb/server
>    fs/smbfs_common --> fs/smb/common
> 
> Which means that 15-SP5 or older SLE may still need 02f76c401d patch. I
> found that 15-SP5 has 38c8a9a52082 but no 02f76c401d.

I just found that the CONFIG_SMB_SERVER is NOT set in 15-SP5. So we don't need the patch in 15-SP5. 

Reset assigner.
Comment 6 Simon Logan 2023-08-02 13:13:15 UTC 
(In reply to Joey Lee from comment #5)
....
> I just found that the CONFIG_SMB_SERVER is NOT set in 15-SP5. So we don't
> need the patch in 15-SP5. 
> 
> Reset assigner.

Hi Joey, is Leap 15.4 ok?

Thanks,
Simon
Comment 7 Simon Logan 2023-08-02 13:20:13 UTC 
(In reply to Simon Logan from comment #6)
> (In reply to Joey Lee from comment #5)
> ....
> > I just found that the CONFIG_SMB_SERVER is NOT set in 15-SP5. So we don't
> > need the patch in 15-SP5. 
> > 
> > Reset assigner.
> 
> Hi Joey, is Leap 15.4 ok?
> 
> Thanks,
> Simon

I see https://www.suse.com/security/cve/CVE-2023-38426.html says
SUSE Linux Enterprise Desktop 15 SP4 Not affected
SUSE Linux Enterprise Server 15 SP4  Not affected
Comment 8 Joey Lee 2023-08-08 02:19:38 UTC 
(In reply to Simon Logan from comment #6)
> (In reply to Joey Lee from comment #5)
> ....
> > I just found that the CONFIG_SMB_SERVER is NOT set in 15-SP5. So we don't
> > need the patch in 15-SP5. 
> > 
> > Reset assigner.
> 
> Hi Joey, is Leap 15.4 ok?
> 
> Thanks,
> Simon

I also didn't see CONFIG_SMB_SERVER be set in 15-SP4 kernel. And Leap 15.4 direct uses SLE15-SP4 kernel. So Leap 15.4 is also not affected.
Comment 9 Simon Logan 2023-11-28 11:41:30 UTC 
(In reply to Joey Lee from comment #8)

> I also didn't see CONFIG_SMB_SERVER be set in 15-SP4 kernel. And Leap 15.4
> direct uses SLE15-SP4 kernel. So Leap 15.4 is also not affected.

Thanks Joey.

Simon
Comment 10 Andrea Mattiazzo 2024-05-29 12:10:35 UTC 
All done, closing.