Bug 1220184 (CVE-2023-52442) - VUL-0: CVE-2023-52442: kernel-source,kernel-source-azure,kernel-source-rt: invalid session id and tree id in compound request
Summary: VUL-0: CVE-2023-52442: kernel-source,kernel-source-azure,kernel-source-rt: in...
Status: RESOLVED FIXED
Alias: CVE-2023-52442
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/394725/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-22 08:58 UTC by SMASH SMASH
Modified: 2024-02-23 08:18 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-02-22 08:58:11 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate session id and tree id in compound request

`smb2_get_msg()` in smb2_get_ksmbd_tcon() and smb2_check_user_session()
will always return the first request smb2 header in a compound request.
if `SMB2_TREE_CONNECT_HE` is the first command in compound request, will
return 0, i.e. The tree id check is skipped.
This patch use ksmbd_req_buf_next() to get current command in compound.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52442
https://git.kernel.org/stable/c/4c2b350b2e269e3fd17bbfa42de1b42775b777ac
https://git.kernel.org/stable/c/becb5191d1d5fdfca0198a2e37457bbbf4fe266f
https://www.cve.org/CVERecord?id=CVE-2023-52442
https://git.kernel.org/stable/c/017d85c94f02090a87f4a473dbe0d6ee0da72693
https://git.kernel.org/stable/c/3df0411e13
return 0, i.e. The tree id check is skipped.
This patch use ksmbd_req_buf_next() to get current command in compound.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52442
https://git.kernel.org/stable/c/4c2b350b2e269e3fd17bbfa42de1b42775b777ac
https://git.kernel.org/stable/c/becb5191d1d5fdfca0198a2e37457bbbf4fe266f
https://www.cve.org/CVERecord?id=CVE-2023-52442
https://git.kernel.org/stable/c/017d85c94f02090a87f4a473dbe0d6ee0da72693
https://git.kernel.org/stable/c/3df0411e132ee74a87aa13142dfd2b190275332e
Comment 1 Thomas Leroy 2024-02-22 08:58:52 UTC 
ksmbd only built on stable, which is already fixed. So I guess we're good
Comment 2 Joey Lee 2024-02-23 05:36:18 UTC 
I checked SLE11-SP4-LTSS, SLE15-SP5, SLE15-SP6. We did NOT enable CONFIG_SMB_SERVER since long time ago.

And, stable (Tumbleweed) kernel set CONFIG_SMB_SERVER=m, but ksmbd is NOT in supported.config.

So, this CVE of ksmbd does not affect SLE/openSUSE.

Reset assigner.
Comment 3 Thomas Leroy 2024-02-23 08:18:09 UTC 
Thanks Joey, closing