In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.
The functions parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() add the server-supplied dacloffset parameter to the pntsd pointer without prior validation that the resulting pointer falls within the bounds of the returned security descriptor. On 32-bit kernel compilations, a malicious server can return a dacloffset close to the U32_MAX value, which causes the computed DACL pointer to wrap below end_of_acl. Subsequent boundary checks based on pointers are then bypassed, and the build_sec_desc() and id_mode_to_cifs_acl() functions can extract DACL fields from an incorrect memory address in the chmod/chown code paths. The fix consists of numerically validating dacloffset before creating any DACL pointer, using a shared helper function at all three DACL entry points.
An attacker controlling the SMB server response can cause arbitrary kernel memory read or overwrite, which consequently may result in privilege escalation, sensitive data disclosure, or system destabilization.
Apply patches available from the vendor according to the references — fixes have been published in the stable branches repository of the Linux kernel (git.kernel.org/stable); recommended update to a kernel version containing the appropriate commits
Linux kernel — SMB client (CIFS), 32-bit compilations; specific versions indicated in vendor references (commits in stable kernel branches)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinux Kernel
OSLinux7.15.12 – 6.6.140 (bez)6.7 – 6.12.88 (bez)6.13 – 6.18.30 (bez)6.19 – 7.0.7 (bez)
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...