HIGH
smb Client Message OOB
CVE-2023-6610
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI7.1HIGH
01Description
An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
02KernelScan AI Analysis
Risk summary
A malicious SMB server can send crafted responses that cause the Linux SMB client to read beyond buffer boundaries, potentially crashing the system or leaking kernel memory contents. This affects systems that connect to untrusted SMB servers or operate on networks where SMB traffic can be intercepted and modified.
Vulnerability analysis
Root Cause: The smb2_dump_detail() function calls server->ops->calc_smb_size(buf) without first validating the SMB message structure. The calc_smb_size() function assumes the buffer contains a valid SMB2 message and reads fields from it to calculate the size. If the buffer contains malformed or truncated data, this can result in reading beyond the buffer boundaries.
Attack Surface: This vulnerability affects the SMB client implementation and can be triggered by a malicious SMB server sending crafted responses. An attacker would need to control an SMB server that the victim connects to, or perform a man-in-the-middle attack on SMB traffic. The vulnerability requires local access to mount SMB shares or network access to influence SMB communications.
Fix Mechanism: The patch adds a validation check using server->ops->check_message() before calling calc_smb_size(). The check_message() function validates the SMB2 header structure, command validity, and message length before allowing size calculation. Additionally, the patch reorders validation checks in smb2_check_message() to perform header validation before length checks, ensuring basic structure validity before accessing fields.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| mainline | 6.7 | 567320c46a60 |