Linux Kernel CIFS Module Usercopy Vulnerability in SMBDirect Client

A vulnerability in the Linux kernel's CIFS (Common Internet File System) module has been addressed. The issue arose in the smbdirect client code, where data was copied from the smbd_response structure's packet trailer to a buffer using the copy_to_iter() function. This process, however, conflicted with the CONFIG_HARDENED_USERCOPY=y setting, leading to a kernel memory exposure error. The vulnerability was caused by the smbd_response slab's packet field not being properly marked for usercopy, which could allow for unintended memory access.

Impact

The vulnerability could lead to a kernel memory exposure, allowing for potential information leaks or memory corruption.

Reproduction

To reproduce this vulnerability, mount a CIFS share using the smbdirect client with the CONFIG_HARDENED_USERCOPY=y option enabled. This will trigger a kernel bug due to an unprotected usercopy operation, exposing kernel memory from the SLUB allocator.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.