Bug 2253611 (CVE-2023-6606) - CVE-2023-6606 kernel: Out-Of-Bounds Read vulnerability in smbCalcSize
Summary: CVE-2023-6606 kernel: Out-Of-Bounds Read vulnerability in smbCalcSize
Keywords:
Status: NEW
Alias: CVE-2023-6606
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2253612
Blocks: 2253609
TreeView+ depends on / blocked
 
Reported: 2023-12-08 07:47 UTC by Rohit Keshri
Modified: 2024-04-17 19:06 UTC (History)
46 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0858 0 None None None 2024-02-19 01:12:30 UTC
Red Hat Product Errata RHBA-2024:1336 0 None None None 2024-03-14 15:40:48 UTC
Red Hat Product Errata RHBA-2024:1379 0 None None None 2024-03-19 15:00:35 UTC
Red Hat Product Errata RHSA-2024:0723 0 None None None 2024-02-07 16:25:45 UTC
Red Hat Product Errata RHSA-2024:0725 0 None None None 2024-02-07 16:21:51 UTC
Red Hat Product Errata RHSA-2024:0881 0 None None None 2024-02-20 12:28:50 UTC
Red Hat Product Errata RHSA-2024:0897 0 None None None 2024-02-20 12:33:32 UTC
Red Hat Product Errata RHSA-2024:1188 0 None None None 2024-03-06 12:37:45 UTC
Red Hat Product Errata RHSA-2024:1248 0 None None None 2024-03-12 00:45:32 UTC
Red Hat Product Errata RHSA-2024:1404 0 None None None 2024-03-19 17:27:45 UTC

Description Rohit Keshri 2023-12-08 07:47:46 UTC 
An Out-Of-Bounds Read vulnerability in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This flaw could allow a local attacker to crash the system or leak internal kernel information.

Refer;
http://bugzilla.kernel.org/show_bug.cgi?id=218218

[1] Retrieve WordCount and add offset*2 to the data part of smb
[2] Retrieve a 16-byte value from the calculated pointer

```c
unsigned int
smbCalcSize(void *buf)
{
	struct smb_hdr *ptr = buf;
	return (sizeof(struct smb_hdr) + (2 * ptr->WordCount) +
		2 /* size of the bcc field */ + get_bcc(ptr));
}
...
static inline __u16
get_bcc(struct smb_hdr *hdr)
{
	__le16 *bc_ptr = (__le16 *)BCC(hdr);

	return get_unaligned_le16(bc_ptr);//[2]
}
...
static inline void *
BCC(struct smb_hdr *smb)
{
	return (void *)smb + sizeof(*smb) + 2 * smb->WordCount; //[1]
}
```


[2] cifs_demultiplex_thread → standard_receive3 → cifs_handle_standard → checkSMB → smbCalcSize

```c
int
checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server)
{
	struct smb_hdr *smb = (struct smb_hdr *)buf;
	__u32 rfclen = be32_to_cpu(smb->smb_buf_length);
	__u32 clc_len;  /* calculated length */
	cifs_dbg(FYI, "checkSMB Length: 0x%x, smb_buf_length: 0x%x\n",
		 total_read, rfclen);

	/* is this frame too small to even get to a BCC? */
	if (total_read < 2 + sizeof(struct smb_hdr)) {
...
	}

	/* otherwise, there is enough to get to the BCC */
	if (check_smb_hdr(smb))
		return -EIO;
	clc_len = smbCalcSize(smb);
Comment 1 Rohit Keshri 2023-12-08 08:24:24 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2253612]
Comment 6 Justin M. Forbes 2024-01-15 19:36:30 UTC 
This was fixed for Fedora with the 6.6.9 stable kernel  updates.
Comment 7 errata-xmlrpc 2024-02-07 16:21:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0725 http://access.redhat.com/errata/RHSA-2024:0725
Comment 8 errata-xmlrpc 2024-02-07 16:25:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0723 http://access.redhat.com/errata/RHSA-2024:0723
Comment 9 errata-xmlrpc 2024-02-20 12:28:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0881 http://access.redhat.com/errata/RHSA-2024:0881
Comment 10 errata-xmlrpc 2024-02-20 12:33:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0897 http://access.redhat.com/errata/RHSA-2024:0897
Comment 11 errata-xmlrpc 2024-03-06 12:37:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1188 http://access.redhat.com/errata/RHSA-2024:1188
Comment 13 errata-xmlrpc 2024-03-12 00:45:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1248 http://access.redhat.com/errata/RHSA-2024:1248
Comment 15 errata-xmlrpc 2024-03-19 17:27:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1404 http://access.redhat.com/errata/RHSA-2024:1404
Note You need to log in before you can comment on or make changes to this bug.