CVE-2024-53185

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-53185
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53185.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-53185
Downstream
Related
Published
2024-12-27T13:49:28Z
Modified
2025-10-17T18:15:30.141468Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
smb: client: fix NULL ptr deref in crypto_aead_setkey()
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix NULL ptr deref in cryptoaeadsetkey()

Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so when SMB2GLOBALCAP_ENCRYPTION flag is set in the negotiate response, the client uses AES-128-CCM as the default cipher. See MS-SMB2 3.3.5.4.

Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added a @server->ciphertype check to conditionally call smb3cryptoaeadallocate(), but that check would always be false as @server->cipher_type is unset for SMB3.02.

Fix the following KASAN splat by setting @server->cipher_type for SMB3.02 as well.

mount.cifs //srv/share /mnt -o vers=3.02,seal,...

BUG: KASAN: null-ptr-deref in cryptoaeadsetkey+0x2c/0x130 Read of size 8 at addr 0000000000000020 by task mount.cifs/1095 CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x5d/0x80 ? cryptoaeadsetkey+0x2c/0x130 kasanreport+0xda/0x110 ? cryptoaeadsetkey+0x2c/0x130 cryptoaeadsetkey+0x2c/0x130 cryptmessage+0x258/0xec0 [cifs] ? asanmemset+0x23/0x50 ? _pfxcryptmessage+0x10/0x10 [cifs] ? marklock+0xb0/0x6a0 ? hlockclass+0x32/0xb0 ? marklock+0xb0/0x6a0 smb3inittransformrq+0x352/0x3f0 [cifs] ? lockacquire.part.0+0xf4/0x2a0 smbsendrqst+0x144/0x230 [cifs] ? _pfxsmbsendrqst+0x10/0x10 [cifs] ? hlockclass+0x32/0xb0 ? smb2setuprequest+0x225/0x3a0 [cifs] ? _pfxcifscompoundlastcallback+0x10/0x10 [cifs] compoundsendrecv+0x59b/0x1140 [cifs] ? _pfxcompoundsendrecv+0x10/0x10 [cifs] ? _createobject+0x5e/0x90 ? hlockclass+0x32/0xb0 ? dorawspinunlock+0x9a/0xf0 cifssendrecv+0x23/0x30 [cifs] SMB2tcon+0x3ec/0xb30 [cifs] ? _pfxSMB2tcon+0x10/0x10 [cifs] ? lockacquire.part.0+0xf4/0x2a0 ? _pfxlockrelease+0x10/0x10 ? dorawspintrylock+0xc6/0x120 ? lockacquire+0x3f/0x90 ? _getxid+0x16/0xd0 [cifs] ? _pfxSMB2tcon+0x10/0x10 [cifs] ? cifsgetsmbses+0xcdd/0x10a0 [cifs] cifsgetsmbses+0xcdd/0x10a0 [cifs] ? _pfxcifsgetsmbses+0x10/0x10 [cifs] ? cifsgettcpsession+0xaa0/0xca0 [cifs] cifsmountgetsession+0x8a/0x210 [cifs] dfsmountshare+0x1b0/0x11d0 [cifs] ? _pfxlockacquire+0x10/0x10 ? pfxdfsmountshare+0x10/0x10 [cifs] ? lockacquire.part.0+0xf4/0x2a0 ? findheldlock+0x8a/0xa0 ? hlockclass+0x32/0xb0 ? lockrelease+0x203/0x5d0 cifsmount+0xb3/0x3d0 [cifs] ? dorawspintrylock+0xc6/0x120 ? _pfxcifsmount+0x10/0x10 [cifs] ? lockacquire+0x3f/0x90 ? findnls+0x16/0xa0 ? smb3updatemntflags+0x372/0x3b0 [cifs] cifssmb3domount+0x1e2/0xc80 [cifs] ? _pfxvfsparsefsstring+0x10/0x10 ? _pfxcifssmb3domount+0x10/0x10 [cifs] smb3gettree+0x1bf/0x330 [cifs] vfsgettree+0x4a/0x160 pathmount+0x3c1/0xfb0 ? kasanquarantineput+0xc7/0x1d0 ? _pfxpathmount+0x10/0x10 ? kmemcachefree+0x118/0x3e0 ? userpathat+0x74/0xa0 _x64sysmount+0x1a6/0x1e0 ? _pfxx64sysmount+0x10/0x10 ? markheldlocks+0x1a/0x90 dosyscall64+0xbb/0x1d0 entrySYSCALL64after_hwframe+0x77/0x7f

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8f14a476abba13144df5434871a7225fd29af633
Fixed
92c5b62879073b489793a067dbe8d4f2728cdcad
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ef51c0d544b1518b35364480317ab6d3468f205d
Fixed
4a788ebbb10db9da453d52eaf44a41c13dc446df
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bce966530fd5542bbb422cb45ecb775f7a1a6bc3
Fixed
44c495818d9c4a741ab9e6bc9203ccc9f55f6f40
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0809fb86ad13b29e1d6d491364fc7ea4fb545995
Fixed
46f8e25926817272ec8d5bfbd003569bdeb9a8c8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
538c26d9bf70c90edc460d18c81008a4e555925a
Fixed
22127c1dc04364cda3da812161e70921e6c3c0af
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b0abcd65ec545701b8793e12bc27dc98042b151a
Fixed
9b8904b53b5ace0519c74cd89fc3ca763f3856d4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b0abcd65ec545701b8793e12bc27dc98042b151a
Fixed
4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2

Affected versions

v6.*

v6.11.10
v6.11.4
v6.11.5
v6.11.6
v6.11.7
v6.11.8
v6.11.9
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.6.57
v6.6.58
v6.6.59
v6.6.60
v6.6.61
v6.6.62
v6.6.63

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@46f8e25926817272ec8d5bfbd003569bdeb9a8c8",
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "299777582403684671168217723389385757616",
            "length": 6518.0
        },
        "id": "CVE-2024-53185-2cea97cb",
        "target": {
            "function": "SMB2_negotiate",
            "file": "fs/smb/client/smb2pdu.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a788ebbb10db9da453d52eaf44a41c13dc446df",
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "213357934141954431198850267032482756676",
                "72120948678858906133426068417644767586",
                "174007036438373990312506670986555619128",
                "261750081219045913312019297739273831613"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-53185-30e38672",
        "target": {
            "file": "fs/cifs/smb2pdu.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2",
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "213357934141954431198850267032482756676",
                "72120948678858906133426068417644767586",
                "174007036438373990312506670986555619128",
                "47034270647902162636927937389078756617"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-53185-3243e671",
        "target": {
            "file": "fs/smb/client/smb2pdu.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@92c5b62879073b489793a067dbe8d4f2728cdcad",
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "285418483815779651505493084265543858293",
            "length": 6173.0
        },
        "id": "CVE-2024-53185-508dcf6a",
        "target": {
            "function": "SMB2_negotiate",
            "file": "fs/cifs/smb2pdu.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@22127c1dc04364cda3da812161e70921e6c3c0af",
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "213357934141954431198850267032482756676",
                "72120948678858906133426068417644767586",
                "174007036438373990312506670986555619128",
                "47034270647902162636927937389078756617"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-53185-6078a4d9",
        "target": {
            "file": "fs/smb/client/smb2pdu.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9b8904b53b5ace0519c74cd89fc3ca763f3856d4",
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "93770851741079352092517849079717899338",
            "length": 6611.0
        },
        "id": "CVE-2024-53185-6b70274e",
        "target": {
            "function": "SMB2_negotiate",
            "file": "fs/smb/client/smb2pdu.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@44c495818d9c4a741ab9e6bc9203ccc9f55f6f40",
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "299777582403684671168217723389385757616",
            "length": 6518.0
        },
        "id": "CVE-2024-53185-812f84a8",
        "target": {
            "function": "SMB2_negotiate",
            "file": "fs/smb/client/smb2pdu.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@22127c1dc04364cda3da812161e70921e6c3c0af",
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "299777582403684671168217723389385757616",
            "length": 6518.0
        },
        "id": "CVE-2024-53185-84521284",
        "target": {
            "function": "SMB2_negotiate",
            "file": "fs/smb/client/smb2pdu.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@46f8e25926817272ec8d5bfbd003569bdeb9a8c8",
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "213357934141954431198850267032482756676",
                "72120948678858906133426068417644767586",
                "174007036438373990312506670986555619128",
                "47034270647902162636927937389078756617"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-53185-8b09c855",
        "target": {
            "file": "fs/smb/client/smb2pdu.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2",
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "93770851741079352092517849079717899338",
            "length": 6611.0
        },
        "id": "CVE-2024-53185-c8434bde",
        "target": {
            "function": "SMB2_negotiate",
            "file": "fs/smb/client/smb2pdu.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9b8904b53b5ace0519c74cd89fc3ca763f3856d4",
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "213357934141954431198850267032482756676",
                "72120948678858906133426068417644767586",
                "174007036438373990312506670986555619128",
                "47034270647902162636927937389078756617"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-53185-d14ce967",
        "target": {
            "file": "fs/smb/client/smb2pdu.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a788ebbb10db9da453d52eaf44a41c13dc446df",
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "133105678752939609049049305988820745235",
            "length": 6458.0
        },
        "id": "CVE-2024-53185-d1ff1959",
        "target": {
            "function": "SMB2_negotiate",
            "file": "fs/cifs/smb2pdu.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@92c5b62879073b489793a067dbe8d4f2728cdcad",
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "213357934141954431198850267032482756676",
                "72120948678858906133426068417644767586",
                "174007036438373990312506670986555619128",
                "261750081219045913312019297739273831613"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-53185-d9cf9628",
        "target": {
            "file": "fs/cifs/smb2pdu.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@44c495818d9c4a741ab9e6bc9203ccc9f55f6f40",
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "213357934141954431198850267032482756676",
                "72120948678858906133426068417644767586",
                "174007036438373990312506670986555619128",
                "47034270647902162636927937389078756617"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-53185-ea6c3492",
        "target": {
            "file": "fs/smb/client/smb2pdu.c"
        }
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.64
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.11.11
Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.2