Linux Kernel ksmbd Heap Buffer Overflow Vulnerability via Signedness Error in SMB Direct Negotiation

A heap buffer overflow vulnerability has been identified in the Linux kernel's ksmbd component. This issue arises from a signedness bug in the 'smb_direct_prepare_negotiation()' function, which improperly casts an unsigned __u32 value from 'max_recv_size' and 'preferred_send_size' to a signed integer. An attacker can exploit this by sending a crafted 'preferred_send_size' value, causing the function to misinterpret the maximum receive size. This manipulation allows the attacker to set an artificially low receive size, which can be bypassed in subsequent messages, leading to a buffer overflow.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a malicious SMB direct negotiation request with a 'preferred_send_size' value of 0x80000000. This value will be incorrectly processed as smaller than the 'max_recv_size', allowing the attacker to set a reduced receive size for subsequent messages. Once this is established, a second message can be sent with a payload larger than 1420 bytes, triggering the heap buffer overflow.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the official Linux Git repository.