Linux Kernel ksmbd Out-of-Bounds Write Vulnerability in smb2_get_ea() EA Alignment

A vulnerability allowing an out-of-bounds write has been identified in the Linux kernel's ksmbd component, specifically within the smb2_get_ea() function. This issue arises because the function applies 4-byte alignment padding via memset() after writing each Extended Attribute (EA) entry. While the function correctly checks the buffer length before copying data, the alignment padding is applied unconditionally afterward, without verifying the remaining buffer space. This flaw can lead to the alignment memset overwriting past the allocated buffer into adjacent kernel heap memory, particularly in compound requests where the response buffer is shared across commands.

Impact

Exploitation of this vulnerability allows for an out-of-bounds write into adjacent kernel heap memory, potentially leading to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by sending a compound SMB2 request that includes a QUERY_INFO EA response. The first command in the request should consume most of the available buffer, leaving a small remainder for the QUERY_INFO response. This tight buffer situation will trigger the out-of-bounds write when the EA value fills the remaining space, allowing the alignment memset to overwrite past the buffer boundary into adjacent kernel heap memory.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux Kernel Archives.