Bug 1213424 (CVE-2023-38429)

Summary: VUL-0: CVE-2023-38429: kernel-source-rt,kernel-source-azure,kernel-source: off-by-one in ksmbd_smb2_check_message
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jlee, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372755/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2023-07-18 10:14:35 UTC 
CVE-2023-38429

An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c
in ksmbd has an off-by-one error in memory allocation (because of
ksmbd_smb2_check_message) that may lead to out-of-bounds access.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38429
https://www.cve.org/CVERecord?id=CVE-2023-38429
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.4
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/ksmbd?id=443d61d1fa9faa60ef925513d83742902390100f
Comment 1 Thomas Leroy 2023-07-18 10:14:50 UTC 
Only stable ships ksmbd but it already has the fix
Comment 2 Joey Lee 2023-07-24 05:42:57 UTC 
(In reply to Thomas Leroy from comment #1)
> Only stable ships ksmbd but it already has the fix

commit 443d61d1fa9faa60ef925513d83742902390100f         [v6.4-rc3~7^2~1]
Author: Chih-Yen Chang <cc85nod@gmail.com>
Date:   Sat May 6 00:03:54 2023 +0900

    ksmbd: allocate one more byte for implied bcc[0]

Updata status:

stable        [v6.4, already included]


But, the fs/ksmbd be moved to fs/smb/server since v6.4:

Which means that 15-SP5 or older SLE may still need 443d61d1fa patch. I found that 15-SP5 has 38c8a9a52082 but no 443d61d1fa.
Comment 3 Joey Lee 2023-07-24 05:43:57 UTC 
Hi Paulo, 

Similar with bsc#1213421. Because this issue relates to samba. Could you please help to handle it? 

If this is not in your area, just reset but assigner to kernel-bugs@suse.de. Kernel Security Sentinel will find other expert.

Thanks a lot!
Comment 4 Joey Lee 2023-07-24 06:14:56 UTC 
(In reply to Joey Lee from comment #2)
> (In reply to Thomas Leroy from comment #1)
> > Only stable ships ksmbd but it already has the fix
> 
> commit 443d61d1fa9faa60ef925513d83742902390100f         [v6.4-rc3~7^2~1]
> Author: Chih-Yen Chang <cc85nod@gmail.com>
> Date:   Sat May 6 00:03:54 2023 +0900
> 
>     ksmbd: allocate one more byte for implied bcc[0]
> 
> Updata status:
> 
> stable        [v6.4, already included]
> 
> 
> But, the fs/ksmbd be moved to fs/smb/server since v6.4:
> 
> Which means that 15-SP5 or older SLE may still need 443d61d1fa patch. I
> found that 15-SP5 has 38c8a9a52082 but no 443d61d1fa.

I just found that the CONFIG_SMB_SERVER is NOT set in 15-SP5. So we don't need the patch in 15-SP5. 

Reset assigner.
Comment 5 Andrea Mattiazzo 2024-06-05 12:55:05 UTC 
All done, closing.