Linux Kernel ksmbd Out-of-Bounds Write Vulnerability in QUERY_INFO Compound Requests

A vulnerability allowing an out-of-bounds write has been identified in the Linux kernel's ksmbd component. This issue arises when a compound request, such as READ combined with QUERY_INFO(Security), is processed. If the READ command uses up most of the available response buffer, ksmbd may overwrite memory beyond the allocated buffer while creating a security descriptor. The problem occurs because the smb2_get_info_sec() function assesses buffer space using the ppntsd_size from extended attributes, while the build_sec_desc() function frequently generates a much larger descriptor based on POSIX ACLs. As a result, this vulnerability could potentially be exploited to corrupt memory or cause other unintended behaviors.

Impact

Exploitation of this vulnerability could lead to memory corruption by writing beyond the allocated buffer, which may cause undefined behavior in the application, including potential arbitrary code execution.

Reproduction

To reproduce this vulnerability, send a compound SMB2 request that includes both READ and QUERY_INFO(Security) operations. Ensure that the READ operation consumes most of the response buffer. This will trigger the out-of-bounds write when ksmbd attempts to build a security descriptor, overwriting memory beyond the allocated buffer.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.