DEBIAN-CVE-2024-50151

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/DEBIAN-CVE-2024-50151

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-50151.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2024-50151

Upstream

CVE-2024-50151

Published

2024-11-07T10:15:06Z

Modified

2025-09-19T07:34:09.963882Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOBs when building SMB2IOCTL request When using encryption, either enforced by the server or when using 'seal' mount option, the client will squash all compound request buffers down for encryption into a single iov in smb2setnextcommand(). SMB2ioctlinit() allocates a small buffer (448 bytes) to hold the SMB2IOCTL request in the first iov, and if the user passes an input buffer that is greater than 328 bytes, smb2setnextcommand() will end up writing off the end of @rqst->iov[0].iovbase as shown below: mount.cifs //srv/share /mnt -o ...,seal ln -s $(perl -e "print('a')for 1..1024") /mnt/link BUG: KASAN: slab-out-of-bounds in smb2setnextcommand.cold+0x1d6/0x24c [cifs] Write of size 4116 at addr ffff8881148fcab8 by task ln/859 CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x5d/0x80 ? smb2setnextcommand.cold+0x1d6/0x24c [cifs] printreport+0x156/0x4d9 ? smb2setnextcommand.cold+0x1d6/0x24c [cifs] ? _virtaddrvalid+0x145/0x310 ? _physaddr+0x46/0x90 ? smb2setnextcommand.cold+0x1d6/0x24c [cifs] kasanreport+0xda/0x110 ? smb2setnextcommand.cold+0x1d6/0x24c [cifs] kasancheckrange+0x10f/0x1f0 _asanmemcpy+0x3c/0x60 smb2setnextcommand.cold+0x1d6/0x24c [cifs] smb2compoundop+0x238c/0x3840 [cifs] ? kasansavetrack+0x14/0x30 ? kasansavefreeinfo+0x3b/0x70 ? vfssymlink+0x1a1/0x2c0 ? dosymlinkat+0x108/0x1c0 ? _pfxsmb2compoundop+0x10/0x10 [cifs] ? kmemcachefree+0x118/0x3e0 ? cifsgetwritablepath+0xeb/0x1a0 [cifs] smb2getreparseinode+0x423/0x540 [cifs] ? _pfxsmb2getreparseinode+0x10/0x10 [cifs] ? rcuiswatching+0x20/0x50 ? _kmallocnoprof+0x37c/0x480 ? smb2createreparsesymlink+0x257/0x490 [cifs] ? smb2createreparsesymlink+0x38f/0x490 [cifs] smb2createreparsesymlink+0x38f/0x490 [cifs] ? _pfxsmb2createreparsesymlink+0x10/0x10 [cifs] ? findheldlock+0x8a/0xa0 ? hlockclass+0x32/0xb0 ? _buildpathfromdentryoptionalprefix+0x19d/0x2e0 [cifs] cifssymlink+0x24f/0x960 [cifs] ? _pfxmakevfsuid+0x10/0x10 ? _pfxcifssymlink+0x10/0x10 [cifs] ? makevfsgid+0x6b/0xc0 ? genericpermission+0x96/0x2d0 vfssymlink+0x1a1/0x2c0 dosymlinkat+0x108/0x1c0 ? _pfxdosymlinkat+0x10/0x10 ? strncpyfromuser+0xaa/0x160 _x64syssymlinkat+0xb9/0xf0 dosyscall64+0xbb/0x1d0 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f08d75c13bb

References

https://security-tracker.debian.org/tracker/CVE-2024-50151

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.234-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

5.10.148-1

5.10.149-1

5.10.149-2

5.10.158-1

5.10.158-2

5.10.162-1

5.10.178-1

5.10.178-2

5.10.178-3

5.10.179-1

5.10.179-2

5.10.179-3

5.10.179-4

5.10.179-5

5.10.191-1

5.10.197-1

5.10.205-1

5.10.205-2

5.10.209-1

5.10.209-2

5.10.216-1

5.10.218-1

5.10.221-1

5.10.223-1

5.10.226-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.115-1

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

6.1.85-1

6.1.90-1~bpo11+1

6.1.90-1

6.1.94-1~bpo11+1

6.1.94-1

6.1.98-1

6.1.99-1

6.1.106-1

6.1.106-2

6.1.106-3

6.1.112-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.11.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.11.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / linux-6.1

Package

Name: linux-6.1
Purl: pkg:deb/debian/linux-6.1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.119-1~deb11u1

Affected versions

6.*

6.1.106-3~deb11u1

6.1.106-3~deb11u2

6.1.106-3~deb11u3

6.1.112-1~deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}