| Message ID | 20240129214942.75557-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-0565 | expand |
On 29.01.24 22:49, Yuxuan Luo wrote: > [Impact] > An out-of-bounds memory read flaw was found in receive_encrypted_standard > in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux > Kernel. This issue occurs due to integer underflow on the memcpy length > caused by lack of validation on the client side, leading to a denial of > service and wild copy. > > [Backport] > It is a clean cherry pick for Mantic. > > On Focal, a conflict around the struct, `smb2_hdr`, exists due to > missing 0d35e382e4e9 (“cifs: Create a new shared file holding smb2 pdu > definitions“). However, although the bottom half of the struct > definition has been modified, the CVE relevant part remains untouched. > It is acceptable to skip this patch and ignore the conflict. > > [Test] > Compile and smoke tested by setting up a ksmbd server using > cifsd-team/ksmbd-tools. > > [Potential Regression] > The potential regression is limited in the use case when kernel samba > server with version 3.0 and above is sending a transformed message. > > > Paulo Alcantara (1): > smb: client: fix OOB in receive_encrypted_standard() > > fs/smb/client/smb2ops.c | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 01/29, Yuxuan Luo wrote: > [Impact] > An out-of-bounds memory read flaw was found in receive_encrypted_standard > in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux > Kernel. This issue occurs due to integer underflow on the memcpy length > caused by lack of validation on the client side, leading to a denial of > service and wild copy. > > [Backport] > It is a clean cherry pick for Mantic. > > On Focal, a conflict around the struct, `smb2_hdr`, exists due to > missing 0d35e382e4e9 (“cifs: Create a new shared file holding smb2 pdu > definitions“). However, although the bottom half of the struct > definition has been modified, the CVE relevant part remains untouched. > It is acceptable to skip this patch and ignore the conflict. > > [Test] > Compile and smoke tested by setting up a ksmbd server using > cifsd-team/ksmbd-tools. > > [Potential Regression] > The potential regression is limited in the use case when kernel samba > server with version 3.0 and above is sending a transformed message. > > > Paulo Alcantara (1): > smb: client: fix OOB in receive_encrypted_standard() > > fs/smb/client/smb2ops.c | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 24/01/29 04:49PM, Yuxuan Luo wrote: > [Impact] > An out-of-bounds memory read flaw was found in receive_encrypted_standard > in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux > Kernel. This issue occurs due to integer underflow on the memcpy length > caused by lack of validation on the client side, leading to a denial of > service and wild copy. > > [Backport] > It is a clean cherry pick for Mantic. > > On Focal, a conflict around the struct, `smb2_hdr`, exists due to > missing 0d35e382e4e9 (“cifs: Create a new shared file holding smb2 pdu > definitions“). However, although the bottom half of the struct > definition has been modified, the CVE relevant part remains untouched. > It is acceptable to skip this patch and ignore the conflict. > > [Test] > Compile and smoke tested by setting up a ksmbd server using > cifsd-team/ksmbd-tools. > > [Potential Regression] > The potential regression is limited in the use case when kernel samba > server with version 3.0 and above is sending a transformed message. > > > Paulo Alcantara (1): > smb: client: fix OOB in receive_encrypted_standard() > > fs/smb/client/smb2ops.c | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) A big shout for the clear, detailed and descriptive cover letter. Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com>
On 29.01.24 22:49, Yuxuan Luo wrote: > [Impact] > An out-of-bounds memory read flaw was found in receive_encrypted_standard > in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux > Kernel. This issue occurs due to integer underflow on the memcpy length > caused by lack of validation on the client side, leading to a denial of > service and wild copy. > > [Backport] > It is a clean cherry pick for Mantic. > > On Focal, a conflict around the struct, `smb2_hdr`, exists due to > missing 0d35e382e4e9 (“cifs: Create a new shared file holding smb2 pdu > definitions“). However, although the bottom half of the struct > definition has been modified, the CVE relevant part remains untouched. > It is acceptable to skip this patch and ignore the conflict. > > [Test] > Compile and smoke tested by setting up a ksmbd server using > cifsd-team/ksmbd-tools. > > [Potential Regression] > The potential regression is limited in the use case when kernel samba > server with version 3.0 and above is sending a transformed message. > > > Paulo Alcantara (1): > smb: client: fix OOB in receive_encrypted_standard() > > fs/smb/client/smb2ops.c | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > Applied to mantic,jammy,focal:linux/master-next. Thanks. -Stefan