Linux Kernel SMB2 Client Uninitialized Variable Vulnerability in Unlink Operation

A vulnerability in the Linux kernel's SMB2 client handling has been addressed. The issue arose because certain variables were left uninitialized, leading to a system crash when specific functions were called. This problem occurred if the initialization functions for opening or closing SMB2 files failed, such as during a reconnection. The vulnerability affected the stable versions of the Linux kernel.

Impact

The vulnerability could lead to a system crash (oops) by causing a null pointer dereference. This happens when uninitialized I/O vectors, which are part of the request structure, are accessed after a failed operation, such as a disconnection and reconnection process.

Reproduction

The vulnerability can be reproduced by initiating an SMB2 unlink operation on a file that is open by a different client. During this process, if the SMB2 open or close initialization fails, the request's I/O vectors will remain uninitialized. This can be simulated by disrupting the SMB2 connection while files are open, causing the subsequent unlink operation to reference the uninitialized I/O vectors, leading to a crash.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.