Linux Kernel ksmbd Component Heap-Based Buffer Overflow Vulnerability in smb_inherit_dacl() Function

A heap-based buffer overflow vulnerability has been identified in the Linux kernel's ksmbd component, specifically within the smb_inherit_dacl() function. This vulnerability arises because the function relies on the num_aces value from the parent directory's DACL (Discretionary Access Control List) extended attribute (xattr) to determine the size of a heap allocation. The issue occurs when an authenticated client manipulates the security.NTACL of the parent directory, allowing it to set num_aces to an invalid value, such as 65535, while leaving the actual Access Control Entries (ACEs) intact. This manipulation leads to a significant (approximately 8 MB) heap allocation of uninitialized memory, which the function only partially fills. The vulnerability can also cause an overflow in size calculations on 32-bit kernels. Furthermore, the ACE processing loop does not properly validate the sizes of the ACEs, allowing for additional exploitation possibilities.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a parent directory over SMB using a legitimate mount.cifs client. After the directory is created, the NTACL extended attribute is manually altered to set num_aces to an invalid value, such as 65535, while preserving the integrity of the posix_acl_hash. This tampering can be done offline or through a concurrent process that bypasses the normal DACL parsing. Once the NTACL is corrupted, a child directory can be created under the parent, triggering the vulnerability as ksmbd attempts to allocate memory based on the manipulated num_aces value.

Remediation

Users can apply the patch included in the Linux kernel commit 063a7409b0de46d7c770b65bb0338e6fdb3b1f0a to address this vulnerability. This patch validates the num_aces value against the DACL size before allocating memory, ensuring that only appropriate values are used for heap allocations.