1222805 – (CVE-2024-26811) VUL-0: CVE-2024-26811: kernel: ksmbd: validate payload size in ipc response

Bug 1222805 (CVE-2024-26811) - VUL-0: CVE-2024-26811: kernel: ksmbd: validate payload size in ipc response

Summary: VUL-0: CVE-2024-26811: kernel: ksmbd: validate payload size in ipc response

Status:	NEW

Alias:	CVE-2024-26811

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/400708/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-26811:5.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-04-15 09:11 UTC by SMASH SMASH
Modified:	2024-05-23 17:33 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-04-15 09:11:24 UTC

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate payload size in ipc response

If installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc
response to ksmbd kernel server. ksmbd should validate payload size of
ipc response from ksmbd.mountd to avoid memory overrun or
slab-out-of-bounds. This patch validate 3 ipc response that has payload.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26811
https://bugzilla.redhat.com/show_bug.cgi?id=2273967
https://www.cve.org/CVERecord?id=CVE-2024-26811
https://git.kernel.org/stable/c/a677ebd8ca2f2632ccdecbad7b87641274e15aac
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-26811.mbox
https://git.kernel.org/stable/c/51a6c2af9d20203ddeeaf73314ba8854b38d01bd
https://git.kernel.org/stable/c/76af689a45aa44714b46d1a7de4ffdf851ded896
https://git.kernel.org/stable/c/a637fabac554270a851033f5ab402ecb90bc479c
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RO3RO34MLQ6WT3A7O6STQUVXW43N6W3K/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LG6L4FXO4WNWUM6W7USOH2YTRVWREM3V/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XCNJZBDMGJXRIKLGKM4RRJU4XCHPX62/

Comment 1 Oscar Salvador 2024-04-19 11:04:23 UTC

@Enzo: Can you have a look?

./scripts/check-kernel-fix CVE-2024-26811
a677ebd8ca2f ("ksmbd: validate payload size in ipc response") merged v6.9-rc3~27^2~1
No Fixes tag. Requires manual review for affected branches.
Security fix for CVE-2024-26811 bsc#1222805 with CVSS 5.5
..............................
ACTION NEEDED!
SLE15-SP6: MANUAL: might need backport of a677ebd8ca2f2632ccdecbad7b87641274e15aac ()
SLE15-SP5: MANUAL: might need backport of a677ebd8ca2f2632ccdecbad7b87641274e15aac ()
SLE12-SP5: MANUAL: might need backport of a677ebd8ca2f2632ccdecbad7b87641274e15aac ()
SLE12-SP3-TD: MANUAL: might need backport of a677ebd8ca2f2632ccdecbad7b87641274e15aac ()

Comment 2 Gabriel Krisman Bertazi 2024-05-12 22:35:07 UTC

Hi Enzo,  gently ping for an update on this issue. If we are no longer affected, please forward back to the security team per [1]

In that case, can you please reassign back to sec team [1].

Thank you!
 
[1] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security