Linux Kernel SMB Client Out-of-Bounds Read Vulnerability in Symlink Error Response Parsing

A vulnerability in the Linux kernel's SMB client can lead to out-of-bounds reads when parsing symlink error responses. This issue arises because the SMB2 message checking function does not properly validate the length of messages that indicate a symlink error, allowing server-controlled data to be read past the intended buffer limits. The vulnerability is present in the stable versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes out-of-bounds read conditions, which can lead to memory corruption or disclosure of sensitive information from the kernel's memory space.

Reproduction

To reproduce this vulnerability, a client must send a request to an SMB server that responds with a symlink error status. The response will include error context data that, due to improper length validation, can be parsed in a way that reads beyond the allocated buffer. This out-of-bounds data is then decoded and returned to the user space as part of the symlink target, creating a potential information leak.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed.