Bug 1213427 (CVE-2023-38432)

Summary: VUL-0: CVE-2023-38432: kernel-source,kernel-source-rt,kernel-source-azure: out-of-bounds read in ksmbd_smb2_check_message
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jlee, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372758/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2023-07-18 10:19:58 UTC 
CVE-2023-38432

An issue was discovered in the Linux kernel before 6.3.10.
fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the
command payload size and the RFC1002 length specification, leading to an
out-of-bounds read.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38432
https://www.cve.org/CVERecord?id=CVE-2023-38432
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.10
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/smb/server?id=2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d
Comment 1 Thomas Leroy 2023-07-18 10:20:36 UTC 
Only stable ships ksmbd but it already has the fix
Comment 2 Joey Lee 2023-07-24 06:03:24 UTC 
(In reply to Thomas Leroy from comment #1)
> Only stable ships ksmbd but it already has the fix

commit 2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d         [v6.4~32^2~3]
Author: Namjae Jeon <linkinjeon@kernel.org>
Date:   Mon Jun 5 01:57:34 2023 +0900

    ksmbd: validate command payload size

stable        [v6.4, already included]

But, the fs/ksmbd be moved to fs/smb/server since v6.4:

Which means that 15-SP5 or older SLE may still need 2b9b8f3b68e patch.
Comment 3 Joey Lee 2023-07-24 06:03:49 UTC 
Hi Paulo, 

Because this issue relates to samba. Could you please help to handle it? 

If this is not in your area, just reset but assigner to kernel-bugs@suse.de. Kernel Security Sentinel will find other expert.

Thanks a lot!
Comment 4 Joey Lee 2023-07-24 06:11:30 UTC 
(In reply to Joey Lee from comment #2)
> (In reply to Thomas Leroy from comment #1)
> > Only stable ships ksmbd but it already has the fix
> 
> commit 2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d         [v6.4~32^2~3]
> Author: Namjae Jeon <linkinjeon@kernel.org>
> Date:   Mon Jun 5 01:57:34 2023 +0900
> 
>     ksmbd: validate command payload size
> 
> stable        [v6.4, already included]
> 
> But, the fs/ksmbd be moved to fs/smb/server since v6.4:
> 
> Which means that 15-SP5 or older SLE may still need 2b9b8f3b68e patch.

I just found that the CONFIG_SMB_SERVER is NOT set in 15-SP5. So we don't need the patch in 15-SP5. 

Reset assigner.
Comment 5 Gabriele Sonnu 2024-06-07 13:39:25 UTC 
All done, closing.