Linux Kernel SMB Client DACL Offset Validation Vulnerability

A vulnerability exists in the Linux kernel's SMB client implementation, specifically within the handling of Discretionary Access Control Lists (DACLs). The issue arises because the client does not properly validate the DACL offset received from the server before using it to build pointers to DACL data. This flaw can be exploited by a malicious server, particularly in 32-bit environments, by sending an offset that wraps around and bypasses normal bounds checks. As a result, the client may incorrectly process DACL information, potentially leading to unauthorized changes in file ownership or permissions.

Impact

Exploitation of this vulnerability allows a malicious server to manipulate DACLs in a way that could cause improper handling of file permissions, particularly during ownership transfers.

Reproduction

To reproduce this vulnerability, connect to a malicious SMB server that sends a DACL offset near the maximum value for a 32-bit unsigned integer. The client will wrap the offset, creating a pointer that bypasses the usual bounds checks and allows DACL fields to be incorrectly processed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux documentation.