Linux Kernel CIFS Client Crypto Buffer Vulnerability in SMB2 Operations

A vulnerability exists in the Linux kernel's CIFS (Common Internet File System) client, specifically within the SMB2 operations. The issue arises because the crypto API, through the scatterlist API, requires input buffers to be in linear memory. The vulnerability occurs when the aead_request buffer is allocated using kvzalloc(), which can place the buffer's context in a non-linear, vmalloc area. This misallocation can lead to a kernel bug when the virtual address is validated, especially under heavy parallel reads and writes on an encrypted mount. The vulnerability has been addressed by changing the allocation method to use kmalloc(), ensuring the buffer remains in linear memory.

Impact

The vulnerability can cause a kernel panic due to an invalid opcode error, triggered by a bug in the scatterlist handling. This panic occurs when the system attempts to process non-linear memory buffers, leading to a crash.

Reproduction

The vulnerability can be reproduced by performing numerous parallel read and write operations on an encrypted CIFS mount. This activity will increment the base stack addresses of tasks to a point where the virtual address validation fails, causing the kernel to crash.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux documentation.