Linux Kernel ksmbd Out-of-Bounds Write Vulnerability in File Information Handling

A vulnerability in the Linux kernel's ksmbd component can lead to an out-of-bounds write. This issue arises in the 'get_file_all_info()' function when processing compound requests that include 'QUERY_DIRECTORY' and 'QUERY_INFO(FILE_ALL_INFORMATION)'. If the first command uses almost the entire maximum transmission size, the function may incorrectly call 'smbConvertToUTF16()' with a path length constant, resulting in a write that exceeds the bounds of the response buffer. The problem is compounded by a lack of validation for the 'OutputBufferLength' provided by the client, which can allow filenames longer than the available buffer space to cause buffer overflows or memory corruption during the conversion process. The vulnerability has been addressed by adding proper buffer length checks and adjusting the conversion function to safely handle filenames within the allowed length.

Impact

Exploitation of this vulnerability can lead to memory corruption or buffer overflow issues, which could potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a compound SMB request that includes 'QUERY_DIRECTORY' and 'QUERY_INFO(FILE_ALL_INFORMATION)'. Ensure that the 'QUERY_DIRECTORY' command consumes nearly the entire maximum transmission size. This will trigger the 'get_file_all_info()' function to call 'smbConvertToUTF16()' with an unsafe path length, causing an out-of-bounds write.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.