Bug 1213545 - VUL-0: kernel-source-rt,kernel-source,kernel-source-azure: ksmbd Session Setup Out-Of-Bounds Read Information Disclosure Vulnerability
Summary: VUL-0: kernel-source-rt,kernel-source,kernel-source-azure: ksmbd Session Setu...
Status: RESOLVED FIXED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/373138/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-21 07:13 UTC by Thomas Leroy
Modified: 2024-06-25 17:50 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2023-07-21 07:13:58 UTC 
ZDI-23-981

This vulnerability allows remote attackers to disclose sensitive information on
affected installations of Linux Kernel. Authentication is not required to
exploit this vulnerability. However, only systems with ksmbd enabled are
vulnerable.

Upstream fix:
https://github.com/torvalds/linux/commit/98422bdd4cb3ca4d08844046f6507d7ec2c2b8d8

The specific flaw exists within the handling of session setup commands. The
issue results from the lack of proper validation of user-supplied data, which
can result in a read past the end of an allocated buffer. An attacker can
leverage this in conjunction with other vulnerabilities to execute arbitrary
code in the context of the kernel.

References:
https://www.zerodayinitiative.com/advisories/ZDI-23-981/
Comment 1 Thomas Leroy 2023-07-21 07:15:39 UTC 
stable doesn't have the fix afaics
Comment 2 Joey Lee 2023-07-24 06:52:37 UTC 
(In reply to Thomas Leroy from comment #1)
> stable doesn't have the fix afaics

commit 98422bdd4cb3ca4d08844046f6507d7ec2c2b8d8         [v6.5-rc1~104^2~4]
Author: Namjae Jeon <linkinjeon@kernel.org>
Date:   Sat Jun 24 12:33:09 2023 +0900

    ksmbd: fix out of bounds read in smb2_sess_setup

stable    [v6.4, need backporting]
Comment 3 Joey Lee 2023-07-24 06:54:03 UTC 
Hi Paulo, 

Because this issue relates to samba. Could you please help to handle it? 

If this is not in your area, just reset but assigner to kernel-bugs@suse.de. Kernel Security Sentinel will find other expert.

Thanks a lot!
Comment 4 Joey Lee 2023-07-24 06:59:22 UTC 
(In reply to Joey Lee from comment #2)
> (In reply to Thomas Leroy from comment #1)
> > stable doesn't have the fix afaics
> 
> commit 98422bdd4cb3ca4d08844046f6507d7ec2c2b8d8         [v6.5-rc1~104^2~4]
> Author: Namjae Jeon <linkinjeon@kernel.org>
> Date:   Sat Jun 24 12:33:09 2023 +0900
> 
>     ksmbd: fix out of bounds read in smb2_sess_setup
> 
> stable    [v6.4, need backporting]

found that the 98422bdd4c be backported to stable. 

patches.kernel.org/6.4.5-008-ksmbd-fix-out-of-bounds-read-in-smb2_sess_setup.patch

Just need to update References tag in 6.4.5-008-ksmbd-fix-out-of-bounds-read-in-smb2_sess_setup.patch to add bsc#1213545.
Comment 10 Paulo Alcantara 2023-10-02 15:16:53 UTC 
Thanks for sharing the document!

Reassigning to security team to close it.
Comment 17 Robert Frohl 2024-05-22 11:08:37 UTC 
done, closing