Linux Kernel ksmbd Sub-Authority Vulnerability in SID Handling

A vulnerability in the Linux kernel's ksmbd component relates to how Security Identifiers (SIDs) are processed, particularly those with the prefix S-1-5-88-3. The issue arises when a SID has two sub-authorities, allowing it to be incorrectly matched and processed. If such a SID is positioned at the end of a security descriptor, it can lead to out-of-bounds memory access. The excess bytes are misinterpreted and applied as the file's POSIX mode, which could have unintended consequences. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to incorrect file permission settings, allowing for potential unauthorized access or modification of files.

Reproduction

To reproduce this vulnerability, create a client SID with two sub-authorities that matches the S-1-5-88-3 prefix. Place this SID at the end of a security descriptor. When the SID is processed, it will be incorrectly read as a file mode, applying an out-of-bounds value that could disrupt normal file operations.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.