Linux Kernel ksmbd u16 DACL Size Overflow Vulnerability Allowing Memory Corruption

A vulnerability in the Linux kernel's ksmbd component can lead to memory corruption by allowing a u16 Discretionary Access Control List (DACL) size overflow. The issue arises in the set_posix_acl_entries_dacl() and set_ntacl_dacl() functions, which accumulate Access Control Entry (ACE) sizes in u16 variables. When a file contains numerous POSIX ACL entries, the total size can exceed 65535, causing pointer arithmetic to overwrite existing ACEs. This overwriting truncates the DACL size, leading to potential data corruption. The vulnerability has been addressed by incorporating overflow checks at each accumulation point, preventing the size from exceeding its limit and causing buffer corruption.

Impact

The vulnerability can be exploited to corrupt memory by overwriting existing Access Control Entries, leading to potential data loss or instability in the system.

Reproduction

To reproduce this vulnerability, create a file with a large number of POSIX ACL entries. The set_posix_acl_entries_dacl() and set_ntacl_dacl() functions will accumulate the sizes of these entries in u16 variables. Once the total size exceeds 65535, the overflow occurs, causing the pointer arithmetic to land within already-written ACEs. This overwriting of entries truncates the DACL size, creating the conditions for the vulnerability.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux documentation.