1213421 – (CVE-2023-38426) VUL-0: CVE-2023-38426: kernel-source,kernel-source-azure,kernel-source-rt: fix global-out-of-bounds in smb2_find_context_vals

Bug 1213421 (CVE-2023-38426) - VUL-0: CVE-2023-38426: kernel-source,kernel-source-azure,kernel-source-rt: fix global-out-of-bounds in smb2_find_context_vals

Summary: VUL-0: CVE-2023-38426: kernel-source,kernel-source-azure,kernel-source-rt: fi...

Status:	RESOLVED FIXED

Alias:	CVE-2023-38426

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/372752/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-07-18 10:02 UTC by Thomas Leroy
Modified:	2024-05-29 12:10 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2023-07-18 10:02:11 UTC

CVE-2023-38426

An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an
out-of-bounds read in smb2_find_context_vals when create_context's name_len is
larger than the tag length.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38426
https://www.cve.org/CVERecord?id=CVE-2023-38426
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.4
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/ksmbd?id=02f76c401d17e409ed45bf7887148fcc22c93c85

Comment 1 Thomas Leroy 2023-07-18 10:02:20 UTC

Only stable is affected

Comment 2 Thomas Leroy 2023-07-18 10:08:16 UTC

(In reply to Thomas Leroy from comment #1)
> Only stable is affected

Actually, stable already has the fix

Comment 3 Joey Lee 2023-07-24 05:35:06 UTC

(In reply to Thomas Leroy from comment #2)
> (In reply to Thomas Leroy from comment #1)
> > Only stable is affected
> 
> Actually, stable already has the fix

Update status:
- stable                [v6.4, already included]


But, the fs/ksmbd be moved to fs/smb/server since v6.4:

From 38c8a9a52082579090e34c033d439ed2cd1a462d Mon Sep 17 00:00:00 2001 [v6.4-rc4~22^2~2]
From: Steve French <stfrench@microsoft.com>
Date: Sun, 21 May 2023 20:46:30 -0500
Subject: smb: move client and server files to common directory
 fs/smb

Move CIFS/SMB3 related client and server files (cifs.ko and ksmbd.ko
and helper modules) to new fs/smb subdirectory:

   fs/cifs --> fs/smb/client
   fs/ksmbd --> fs/smb/server
   fs/smbfs_common --> fs/smb/common

Which means that 15-SP5 or older SLE may still need 02f76c401d patch. I found that 15-SP5 has 38c8a9a52082 but no 02f76c401d.

Comment 4 Joey Lee 2023-07-24 05:37:32 UTC

Hi Paulo, 

Because this issue relates to samba. Could you please help to handle it? 

If this is not in your area, just reset but assigner to kernel-bugs@suse.de. Kernel Security Sentinel will find other expert.

Thanks a lot!

Comment 5 Joey Lee 2023-07-24 06:15:47 UTC

(In reply to Joey Lee from comment #3)
> (In reply to Thomas Leroy from comment #2)
> > (In reply to Thomas Leroy from comment #1)
> > > Only stable is affected
> > 
> > Actually, stable already has the fix
> 
> Update status:
> - stable                [v6.4, already included]
> 
> 
> But, the fs/ksmbd be moved to fs/smb/server since v6.4:
> 
> From 38c8a9a52082579090e34c033d439ed2cd1a462d Mon Sep 17 00:00:00 2001
> [v6.4-rc4~22^2~2]
> From: Steve French <stfrench@microsoft.com>
> Date: Sun, 21 May 2023 20:46:30 -0500
> Subject: smb: move client and server files to common directory
>  fs/smb
> 
> Move CIFS/SMB3 related client and server files (cifs.ko and ksmbd.ko
> and helper modules) to new fs/smb subdirectory:
> 
>    fs/cifs --> fs/smb/client
>    fs/ksmbd --> fs/smb/server
>    fs/smbfs_common --> fs/smb/common
> 
> Which means that 15-SP5 or older SLE may still need 02f76c401d patch. I
> found that 15-SP5 has 38c8a9a52082 but no 02f76c401d.

I just found that the CONFIG_SMB_SERVER is NOT set in 15-SP5. So we don't need the patch in 15-SP5. 

Reset assigner.

Comment 6 Simon Logan 2023-08-02 13:13:15 UTC

(In reply to Joey Lee from comment #5)
....
> I just found that the CONFIG_SMB_SERVER is NOT set in 15-SP5. So we don't
> need the patch in 15-SP5. 
> 
> Reset assigner.

Hi Joey, is Leap 15.4 ok?

Thanks,
Simon

Comment 7 Simon Logan 2023-08-02 13:20:13 UTC

(In reply to Simon Logan from comment #6)
> (In reply to Joey Lee from comment #5)
> ....
> > I just found that the CONFIG_SMB_SERVER is NOT set in 15-SP5. So we don't
> > need the patch in 15-SP5. 
> > 
> > Reset assigner.
> 
> Hi Joey, is Leap 15.4 ok?
> 
> Thanks,
> Simon

I see https://www.suse.com/security/cve/CVE-2023-38426.html says
SUSE Linux Enterprise Desktop 15 SP4 Not affected
SUSE Linux Enterprise Server 15 SP4  Not affected

Comment 8 Joey Lee 2023-08-08 02:19:38 UTC

(In reply to Simon Logan from comment #6)
> (In reply to Joey Lee from comment #5)
> ....
> > I just found that the CONFIG_SMB_SERVER is NOT set in 15-SP5. So we don't
> > need the patch in 15-SP5. 
> > 
> > Reset assigner.
> 
> Hi Joey, is Leap 15.4 ok?
> 
> Thanks,
> Simon

I also didn't see CONFIG_SMB_SERVER be set in 15-SP4 kernel. And Leap 15.4 direct uses SLE15-SP4 kernel. So Leap 15.4 is also not affected.

Comment 9 Simon Logan 2023-11-28 11:41:30 UTC

(In reply to Joey Lee from comment #8)

> I also didn't see CONFIG_SMB_SERVER be set in 15-SP4 kernel. And Leap 15.4
> direct uses SLE15-SP4 kernel. So Leap 15.4 is also not affected.

Thanks Joey.

Simon

Comment 10 Andrea Mattiazzo 2024-05-29 12:10:35 UTC

All done, closing.