Linux Kernel CIFS Client Vulnerability Allows Buffer Overflow via NFS Mode SID

A vulnerability in the Linux kernel's CIFS client can lead to a buffer overflow. This issue arises when the CIFS client incorrectly interprets an Access Control Entry (ACE) Security Identifier (SID) as a valid NFS mode SID. The vulnerability is present in the Linux kernel stable group, specifically in the SMB client component. The problem occurs because the 'parse_dacl()' function assumes that the ACE contains three subauthorities. However, a malicious server can craft an ACE with only two subauthorities that still matches the expected NFS mode SID, causing the client to read beyond the end of the ACE and into adjacent memory.

Impact

Exploitation of this vulnerability can cause a buffer overflow, where the CIFS client reads data beyond the allocated memory for the ACE. This type of memory corruption can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, a malicious server can be set up to send an ACE with 'num_subauth' set to 2 and 'sub_auth' values that match the 'sid_unix_NFS_mode'. When the CIFS client receives this ACE, it will incorrectly process it as a valid NFS mode SID and attempt to read the mode bits, leading to a buffer overflow by reading four bytes past the end of the ACE.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel's official website.