Linux Kernel Out-of-Bounds Read Vulnerability in SMB2 IOCTL Query Info

A vulnerability allowing an out-of-bounds read has been identified in the Linux kernel's SMB client, specifically within the SMB2 IOCTL query information handling. This issue arises because the QUERY_INFO response branch does not properly validate the length of data being copied from the server to user space. A malicious server can exploit this by sending an oversized output length, causing the kernel to leak adjacent heap memory into user space. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability leads to an out-of-bounds read, allowing adjacent kernel heap memory to be exposed to user space.

Reproduction

The vulnerability can be reproduced by sending a crafted SMB2 FSCTL query from a client to a malicious server that returns an OutputBufferLength larger than the actual QUERY_INFO response. This can be done using tools that allow for the manipulation of SMB2 FSCTL query lengths.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched.