CVE-2023-54250

Summary

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: avoid out of bounds access in decode_preauth_ctxt()

Confirm that the accessed pneg_ctxt->HashAlgorithms address sits within the SMB request boundary; deassemble_neg_contexts() only checks that the eight byte smb2_neg_context header + (client controlled) DataLength are within the packet boundary, which is insufficient.

Checking for sizeof(struct smb2_preauth_neg_context) is overkill given that the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxe2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 < 39f5b4b313b445c980a2a295bed28228c29228edaffected
LinuxLinuxe2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 < a2f6ded41bec1d3be643c80a5eb97f1680309001affected
LinuxLinuxe2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 < f02edb9debbd36f44efa7567031485892c7df60daffected
LinuxLinuxe2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 < e7067a446264a7514fa1cfaa4052cdb6803bc6a2affected
LinuxLinux5.15affected
LinuxLinux0 < 5.15unaffected
LinuxLinux5.15.145 <= 5.15.*unaffected
LinuxLinux6.1.25 <= 6.1.*unaffected
LinuxLinux6.2.12 <= 6.2.*unaffected
LinuxLinux6.3 <= *unaffected

Weaknesses

References