Bug 1213814 (CVE-2023-3866)

Summary: VUL-0: CVE-2023-3866: kernel-source-azure,kernel-source-rt,kernel-source: ksmbd: Chained Request NULL Pointer Dereference Denial-of-Service Vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jlee, jmcdonough, palcantara, rfrohl, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373726/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2023-07-31 10:46:17 UTC 
CVE-2023-3866

This vulnerability allows remote attackers to create a denial-of-service
condition on affected installations of Linux Kernel. Authentication is not
required to exploit this vulnerability, but only systems with ksmbd enabled are
vulnerable.

The specific flaw exists within the handling of chained requests. The issue
results from dereferencing a NULL pointer. An attacker can leverage this
vulnerability to create a denial-of-service condition on the system.

Upstream fix:
5005bcb42191 (ksmbd: validate session id and tree id in the compound request)

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3866
https://www.zerodayinitiative.com/advisories/ZDI-23-979/
Comment 1 Thomas Leroy 2023-07-31 10:47:15 UTC 
Only built on stable which already has the fix, so we should be good
Comment 2 Joey Lee 2023-08-01 04:32:01 UTC 
(In reply to Thomas Leroy from comment #1)
> Only built on stable which already has the fix, so we should be good

commit 5005bcb4219156f1bf7587b185080ec1da08518e                 [v6.4~32^2]
Author: Namjae Jeon <linkinjeon@kernel.org>
Date:   Thu Jun 15 22:05:29 2023 +0900

    ksmbd: validate session id and tree id in the compound request

The above fixing patch puts changes on fs/smb/server/server.c. SLE15-SP5 doesn't have this C file because it is introduced by 0626e6641f6b4 since v5.15-rc1. 

So, yes, 15-SP5 is not affected. And stable branch already included fixing patch 5005bcb42.

I still add samba expert, Paulo Alcantara to Cc. But we can close this issue. 

Reset assigner.
Comment 3 Robert Frohl 2024-05-22 20:26:38 UTC 
closing