Linux Kernel SMB2 In-Place Encryption Corruption Vulnerability in Write Operation

A vulnerability in the Linux kernel's SMB client has been addressed, which involved in-place encryption corruption during the SMB2 write operation. This issue arises because the write payload is shared as part of the request I/O vector, leading to the encryption of data in place. When a replayable error occurs, the encrypted data is sent instead of the original plaintext, causing corruption. This problem is particularly noticeable with unstable connections, where write retries can inadvertently resend already-encrypted data. The vulnerability affects various operations, including SFU mknod and MF symlinks, and was present in kernel versions prior to 6.10, before the netfs conversion.

Impact

The vulnerability could lead to data corruption by allowing encrypted data to be sent in place of the original plaintext during SMB2 write operations, particularly after a connection error that triggers a write retry.

Reproduction

To reproduce this vulnerability, initiate an SMB2 write operation over a connection that can be deliberately disrupted, causing a replayable error. After the error, observe that the same write operation is retried, but this time the payload is encrypted data instead of the original, leading to corruption.

Remediation

The vulnerability has been fixed by modifying the write payload handling. The payload is now moved into a separate request iterator before encryption, ensuring that the original data is preserved. Users should upgrade to the latest stable version of the Linux kernel where this fix has been applied.