AZL-53543

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-53543.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-53543

Upstream

CVE-2024-50151

Published

2024-11-07T10:15:06Z

Modified

2026-04-01T05:18:04.729681Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CVE-2024-50151 affecting package kernel for versions less than 6.6.64.2-1

Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix OOBs when building SMB2_IOCTL request

When using encryption, either enforced by the server or when using 'seal' mount option, the client will squash all compound request buffers down for encryption into a single iov in smb2setnext_command().

SMB2ioctlinit() allocates a small buffer (448 bytes) to hold the SMB2IOCTL request in the first iov, and if the user passes an input buffer that is greater than 328 bytes, smb2setnextcommand() will end up writing off the end of @rqst->iov[0].iov_base as shown below:

mount.cifs //srv/share /mnt -o ...,seal ln -s $(perl -e "print('a')for 1..1024") /mnt/link

BUG: KASAN: slab-out-of-bounds in smb2setnext_command.cold+0x1d6/0x24c [cifs] Write of size 4116 at addr ffff8881148fcab8 by task ln/859

CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x5d/0x80 ? smb2setnextcommand.cold+0x1d6/0x24c [cifs] printreport+0x156/0x4d9 ? smb2setnext_command.cold+0x1d6/0x24c [cifs] ? __virtaddrvalid+0x145/0x310 ? __physaddr+0x46/0x90 ? smb2setnextcommand.cold+0x1d6/0x24c [cifs] kasanreport+0xda/0x110 ? smb2setnextcommand.cold+0x1d6/0x24c [cifs] kasancheckrange+0x10f/0x1f0 __asanmemcpy+0x3c/0x60 smb2setnextcommand.cold+0x1d6/0x24c [cifs] smb2compoundop+0x238c/0x3840 [cifs] ? kasansavetrack+0x14/0x30 ? kasansavefreeinfo+0x3b/0x70 ? vfssymlink+0x1a1/0x2c0 ? do_symlinkat+0x108/0x1c0 ? __pfxsmb2compoundop+0x10/0x10 [cifs] ? kmemcachefree+0x118/0x3e0 ? cifsgetwritablepath+0xeb/0x1a0 [cifs] smb2getreparse_inode+0x423/0x540 [cifs] ? __pfxsmb2getreparseinode+0x10/0x10 [cifs] ? rcuiswatching+0x20/0x50 ? __kmallocnoprof+0x37c/0x480 ? smb2createreparsesymlink+0x257/0x490 [cifs] ? smb2createreparsesymlink+0x38f/0x490 [cifs] smb2createreparsesymlink+0x38f/0x490 [cifs] ? __pfxsmb2createreparsesymlink+0x10/0x10 [cifs] ? findheldlock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? __buildpathfromdentryoptionalprefix+0x19d/0x2e0 [cifs] cifssymlink+0x24f/0x960 [cifs] ? __pfxmakevfsuid+0x10/0x10 ? __pfxcifssymlink+0x10/0x10 [cifs] ? makevfsgid+0x6b/0xc0 ? genericpermission+0x96/0x2d0 vfssymlink+0x1a1/0x2c0 dosymlinkat+0x108/0x1c0 ? __pfxdosymlinkat+0x10/0x10 ? strncpyfromuser+0xaa/0x160 __x64syssymlinkat+0xb9/0xf0 dosyscall64+0xbb/0x1d0 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f08d75c13bb

References

https://nvd.nist.gov/vuln/detail/CVE-2024-50151

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.64.2-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-53543.json"