Linux Kernel ksmbd Inherited ACE SID Length Validation Vulnerability

A vulnerability in the Linux kernel's ksmbd component allows for improper validation of inherited Access Control Entry (ACE) Security Identifiers (SIDs). The issue arises because the function smb_inherit_dacl() does not verify that the variable-length SID, as described by sid.num_subauth, is fully contained within the ACE. This oversight can be exploited by a malformed inheritable ACE that advertises more subauthorities than actually present, potentially leading to memory corruption. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can be exploited to cause a buffer overflow, allowing for memory corruption.

Reproduction

The vulnerability can be reproduced by creating a malformed inheritable ACE that advertises more subauthorities than are actually present. When this ACE is processed by the smb_inherit_dacl() function, the vulnerability will be triggered as the function will read past the allocated buffer, causing a buffer overflow.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.