CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-50151: smb: client: fix OOBs when building SMB2_IOCTL request

7.8 CVSS

Description

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix OOBs when building SMB2_IOCTL request

When using encryption, either enforced by the server or when using
'seal' mount option, the client will squash all compound request buffers
down for encryption into a single iov in smb2_set_next_command().

SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the
SMB2_IOCTL request in the first iov, and if the user passes an input
buffer that is greater than 328 bytes, smb2_set_next_command() will
end up writing off the end of @rqst->iov[0].iov_base as shown below:

mount.cifs //srv/share /mnt -o ...,seal
ln -s $(perl -e "print('a')for 1..1024") /mnt/link

BUG: KASAN: slab-out-of-bounds in
smb2_set_next_command.cold+0x1d6/0x24c [cifs]
Write of size 4116 at addr ffff8881148fcab8 by task ln/859

CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.3-2.fc40 04/01/2014
Call Trace:

dump_stack_lvl+0x5d/0x80
? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
print_report+0x156/0x4d9
? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
? __virt_addr_valid+0x145/0x310
? __phys_addr+0x46/0x90
? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
kasan_report+0xda/0x110
? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
kasan_check_range+0x10f/0x1f0
__asan_memcpy+0x3c/0x60
smb2_set_next_command.cold+0x1d6/0x24c [cifs]
smb2_compound_op+0x238c/...

Classification

CVE ID: CVE-2024-50151

CVSS Base Severity: HIGH

CVSS Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 4.77% (scored less or equal to compared to others)

EPSS Date: 2025-06-02 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-50151
https://git.kernel.org/stable/c/6f0516ef1290da24b85461ed08a0938af7415e49
https://git.kernel.org/stable/c/ed31aba8ce93472d9e16f5cff844ae7c94e9601d
https://git.kernel.org/stable/c/e07d05b7f5ad9a503d9cab0afde2ab867bb65470
https://git.kernel.org/stable/c/2ef632bfb888d1a14f81c1703817951e0bec5531
https://git.kernel.org/stable/c/b209c3a0bc3ac172265c7fa8309e5d00654f2510
https://git.kernel.org/stable/c/fe92ddc1c32d4474e605e3a31a4afcd0e7d765ec
https://git.kernel.org/stable/c/1ab60323c5201bef25f2a3dc0ccc404d9aca77f1

Timeline

2025-05-04 10:40:21 UTC
CVE

smb: client: fix OOBs when building SMB2_IOCTL request