Bug 1213813 (CVE-2023-3865) - VUL-0: CVE-2023-3865: kernel-source-azure,kernel-source-rt,kernel-source: ksmbd: Out-Of-Bounds Read Information Disclosure Vulnerability
Summary: VUL-0: CVE-2023-3865: kernel-source-azure,kernel-source-rt,kernel-source: ksm...
Status: RESOLVED FIXED
Alias: CVE-2023-3865
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/373725/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-31 10:42 UTC by Thomas Leroy
Modified: 2024-05-22 20:25 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2023-07-31 10:42:17 UTC 
CVE-2023-3865

This vulnerability allows remote attackers to disclose sensitive information on
affected installations of Linux Kernel. Authentication may or may not be
required to exploit this vulnerability, depending upon configuration.
Furthermore, only systems with ksmbd enabled are vulnerable.

The specific flaw exists within the parsing of smb2_hdr structure. The issue
results from the lack of proper validation of user-supplied data, which can
result in a read past the end of an allocated buffer. An attacker can leverage
this in conjunction with other vulnerabilities to execute arbitrary code in the
context of the kernel.

Upstream fix:
5fe7f7b78290 (ksmbd: fix out-of-bound read in smb2_write)


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3865
https://www.zerodayinitiative.com/advisories/ZDI-23-980/
Comment 1 Thomas Leroy 2023-07-31 10:42:57 UTC 
Only built on stable which already has the fix, so we should be good
Comment 2 Joey Lee 2023-08-01 03:57:54 UTC 
(In reply to Thomas Leroy from comment #1)
> Only built on stable which already has the fix, so we should be good

Yes, looks that no SLE be affected. The issue patch is since v6.4:

commit 5fe7f7b78290638806211046a99f031ff26164e1                 [v6.4~32^2~1]
Author: Namjae Jeon <linkinjeon@kernel.org>
Date:   Thu Jun 15 22:04:40 2023 +0900

    ksmbd: fix out-of-bound read in smb2_write


I still add samba expert, Paulo Alcantara to Cc. But we can close this issue. 

Reset assigner.
Comment 3 Joey Lee 2023-08-01 04:21:11 UTC 
(In reply to Joey Lee from comment #2)
> (In reply to Thomas Leroy from comment #1)
> > Only built on stable which already has the fix, so we should be good
> 
> Yes, looks that no SLE be affected. The issue patch is since v6.4:
> 
> commit 5fe7f7b78290638806211046a99f031ff26164e1                 [v6.4~32^2~1]
> Author: Namjae Jeon <linkinjeon@kernel.org>
> Date:   Thu Jun 15 22:04:40 2023 +0900
> 
>     ksmbd: fix out-of-bound read in smb2_write
> 
> 
> I still add samba expert, Paulo Alcantara to Cc. But we can close this
> issue. 
> 
> Reset assigner.

The above 5fe7f7b78 patch puts changes on fs/smb/server/smb2misc.c, but 15-SP5 doesn't have the C file. It is introduced by e2f34481b24db since v5.15-rc1. So 15-SP5 should not be affected.
Comment 4 Robert Frohl 2024-05-22 20:25:26 UTC 
closing