fkie_cve-2024-53185
Vulnerability from fkie_nvd
Published
2024-12-27 14:15
Modified
2025-02-10 18:15
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix NULL ptr deref in crypto_aead_setkey() Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response, the client uses AES-128-CCM as the default cipher. See MS-SMB2 3.3.5.4. Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added a @server->cipher_type check to conditionally call smb3_crypto_aead_allocate(), but that check would always be false as @server->cipher_type is unset for SMB3.02. Fix the following KASAN splat by setting @server->cipher_type for SMB3.02 as well. mount.cifs //srv/share /mnt -o vers=3.02,seal,... BUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130 Read of size 8 at addr 0000000000000020 by task mount.cifs/1095 CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? crypto_aead_setkey+0x2c/0x130 kasan_report+0xda/0x110 ? crypto_aead_setkey+0x2c/0x130 crypto_aead_setkey+0x2c/0x130 crypt_message+0x258/0xec0 [cifs] ? __asan_memset+0x23/0x50 ? __pfx_crypt_message+0x10/0x10 [cifs] ? mark_lock+0xb0/0x6a0 ? hlock_class+0x32/0xb0 ? mark_lock+0xb0/0x6a0 smb3_init_transform_rq+0x352/0x3f0 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 smb_send_rqst+0x144/0x230 [cifs] ? __pfx_smb_send_rqst+0x10/0x10 [cifs] ? hlock_class+0x32/0xb0 ? smb2_setup_request+0x225/0x3a0 [cifs] ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs] compound_send_recv+0x59b/0x1140 [cifs] ? __pfx_compound_send_recv+0x10/0x10 [cifs] ? __create_object+0x5e/0x90 ? hlock_class+0x32/0xb0 ? do_raw_spin_unlock+0x9a/0xf0 cifs_send_recv+0x23/0x30 [cifs] SMB2_tcon+0x3ec/0xb30 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? __pfx_lock_release+0x10/0x10 ? do_raw_spin_trylock+0xc6/0x120 ? lock_acquire+0x3f/0x90 ? _get_xid+0x16/0xd0 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs] cifs_get_smb_ses+0xcdd/0x10a0 [cifs] ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs] ? cifs_get_tcp_session+0xaa0/0xca0 [cifs] cifs_mount_get_session+0x8a/0x210 [cifs] dfs_mount_share+0x1b0/0x11d0 [cifs] ? __pfx___lock_acquire+0x10/0x10 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? lock_release+0x203/0x5d0 cifs_mount+0xb3/0x3d0 [cifs] ? do_raw_spin_trylock+0xc6/0x120 ? __pfx_cifs_mount+0x10/0x10 [cifs] ? lock_acquire+0x3f/0x90 ? find_nls+0x16/0xa0 ? smb3_update_mnt_flags+0x372/0x3b0 [cifs] cifs_smb3_do_mount+0x1e2/0xc80 [cifs] ? __pfx_vfs_parse_fs_string+0x10/0x10 ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs] smb3_get_tree+0x1bf/0x330 [cifs] vfs_get_tree+0x4a/0x160 path_mount+0x3c1/0xfb0 ? kasan_quarantine_put+0xc7/0x1d0 ? __pfx_path_mount+0x10/0x10 ? kmem_cache_free+0x118/0x3e0 ? user_path_at+0x74/0xa0 __x64_sys_mount+0x1a6/0x1e0 ? __pfx___x64_sys_mount+0x10/0x10 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/22127c1dc04364cda3da812161e70921e6c3c0afPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/44c495818d9c4a741ab9e6bc9203ccc9f55f6f40
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/46f8e25926817272ec8d5bfbd003569bdeb9a8c8Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9b8904b53b5ace0519c74cd89fc3ca763f3856d4Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C8945A66-658A-4AD8-A181-1427B77B6201",
              "versionEndExcluding": "6.6.64",
              "versionStartIncluding": "6.6.57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "882290D1-9594-457B-B4DE-75810B78463D",
              "versionEndExcluding": "6.11.11",
              "versionStartIncluding": "6.11.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8882B1B-2ABC-4838-AC1D-DBDBB5764776",
              "versionEndExcluding": "6.12.2",
              "versionStartIncluding": "6.12",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix NULL ptr deref in crypto_aead_setkey()\n\nNeither SMB3.0 or SMB3.02 supports encryption negotiate context, so\nwhen SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response,\nthe client uses AES-128-CCM as the default cipher.  See MS-SMB2\n3.3.5.4.\n\nCommit b0abcd65ec54 (\"smb: client: fix UAF in async decryption\") added\na @server-\u003ecipher_type check to conditionally call\nsmb3_crypto_aead_allocate(), but that check would always be false as\n@server-\u003ecipher_type is unset for SMB3.02.\n\nFix the following KASAN splat by setting @server-\u003ecipher_type for\nSMB3.02 as well.\n\nmount.cifs //srv/share /mnt -o vers=3.02,seal,...\n\nBUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130\nRead of size 8 at addr 0000000000000020 by task mount.cifs/1095\nCPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41\n04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5d/0x80\n ? crypto_aead_setkey+0x2c/0x130\n kasan_report+0xda/0x110\n ? crypto_aead_setkey+0x2c/0x130\n crypto_aead_setkey+0x2c/0x130\n crypt_message+0x258/0xec0 [cifs]\n ? __asan_memset+0x23/0x50\n ? __pfx_crypt_message+0x10/0x10 [cifs]\n ? mark_lock+0xb0/0x6a0\n ? hlock_class+0x32/0xb0\n ? mark_lock+0xb0/0x6a0\n smb3_init_transform_rq+0x352/0x3f0 [cifs]\n ? lock_acquire.part.0+0xf4/0x2a0\n smb_send_rqst+0x144/0x230 [cifs]\n ? __pfx_smb_send_rqst+0x10/0x10 [cifs]\n ? hlock_class+0x32/0xb0\n ? smb2_setup_request+0x225/0x3a0 [cifs]\n ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs]\n compound_send_recv+0x59b/0x1140 [cifs]\n ? __pfx_compound_send_recv+0x10/0x10 [cifs]\n ? __create_object+0x5e/0x90\n ? hlock_class+0x32/0xb0\n ? do_raw_spin_unlock+0x9a/0xf0\n cifs_send_recv+0x23/0x30 [cifs]\n SMB2_tcon+0x3ec/0xb30 [cifs]\n ? __pfx_SMB2_tcon+0x10/0x10 [cifs]\n ? lock_acquire.part.0+0xf4/0x2a0\n ? __pfx_lock_release+0x10/0x10\n ? do_raw_spin_trylock+0xc6/0x120\n ? lock_acquire+0x3f/0x90\n ? _get_xid+0x16/0xd0 [cifs]\n ? __pfx_SMB2_tcon+0x10/0x10 [cifs]\n ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs]\n cifs_get_smb_ses+0xcdd/0x10a0 [cifs]\n ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs]\n ? cifs_get_tcp_session+0xaa0/0xca0 [cifs]\n cifs_mount_get_session+0x8a/0x210 [cifs]\n dfs_mount_share+0x1b0/0x11d0 [cifs]\n ? __pfx___lock_acquire+0x10/0x10\n ? __pfx_dfs_mount_share+0x10/0x10 [cifs]\n ? lock_acquire.part.0+0xf4/0x2a0\n ? find_held_lock+0x8a/0xa0\n ? hlock_class+0x32/0xb0\n ? lock_release+0x203/0x5d0\n cifs_mount+0xb3/0x3d0 [cifs]\n ? do_raw_spin_trylock+0xc6/0x120\n ? __pfx_cifs_mount+0x10/0x10 [cifs]\n ? lock_acquire+0x3f/0x90\n ? find_nls+0x16/0xa0\n ? smb3_update_mnt_flags+0x372/0x3b0 [cifs]\n cifs_smb3_do_mount+0x1e2/0xc80 [cifs]\n ? __pfx_vfs_parse_fs_string+0x10/0x10\n ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs]\n smb3_get_tree+0x1bf/0x330 [cifs]\n vfs_get_tree+0x4a/0x160\n path_mount+0x3c1/0xfb0\n ? kasan_quarantine_put+0xc7/0x1d0\n ? __pfx_path_mount+0x10/0x10\n ? kmem_cache_free+0x118/0x3e0\n ? user_path_at+0x74/0xa0\n __x64_sys_mount+0x1a6/0x1e0\n ? __pfx___x64_sys_mount+0x10/0x10\n ? mark_held_locks+0x1a/0x90\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corregir NULL ptr deref en crypto_aead_setkey() Ni SMB3.0 ni SMB3.02 admiten el contexto de negociaci\u00f3n de cifrado, por lo que cuando se establece el indicador SMB2_GLOBAL_CAP_ENCRYPTION en la respuesta de negociaci\u00f3n, el cliente utiliza AES-128-CCM como cifrado predeterminado. Consulte MS-SMB2 3.3.5.4. el commit b0abcd65ec54 (\"smb: cliente: corregir UAF en descifrado as\u00edncrono\") agreg\u00f3 una comprobaci\u00f3n @server-\u0026gt;cipher_type para llamar condicionalmente a smb3_crypto_aead_allocate(), pero esa comprobaci\u00f3n siempre ser\u00eda falsa ya que @server-\u0026gt;cipher_type no est\u00e1 configurado para SMB3.02. Corrija el siguiente splat de KASAN configurando tambi\u00e9n @server-\u0026gt;cipher_type para SMB3.02. mount.cifs //srv/share /mnt -o vers=3.02,seal,... ERROR: KASAN: null-ptr-deref en crypto_aead_setkey+0x2c/0x130 Lectura de tama\u00f1o 8 en la direcci\u00f3n 0000000000000020 por la tarea mount.cifs/1095 CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs No contaminado 6.12.0 #1 Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Rastreo de llamadas:  dump_stack_lvl+0x5d/0x80 ? crypto_aead_setkey+0x2c/0x130 kasan_report+0xda/0x110 ? crypto_aead_setkey+0x2c/0x130 crypto_aead_setkey+0x2c/0x130 crypt_message+0x258/0xec0 [cifs] ? __asan_memset+0x23/0x50 ? __pfx_crypt_message+0x10/0x10 [cifs] ? mark_lock+0xb0/0x6a0 ? hlock_class+0x32/0xb0 ? mark_lock+0xb0/0x6a0 smb3_init_transform_rq+0x352/0x3f0 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 smb_send_rqst+0x144/0x230 [cifs] ? __pfx_smb_send_rqst+0x10/0x10 [cifs] ? hlock_class+0x32/0xb0 ? smb2_setup_request+0x225/0x3a0 [cifs] ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs] compuesto_send_recv+0x59b/0x1140 [cifs] ? __pfx_compound_send_recv+0x10/0x10 [cifs] ? __create_object+0x5e/0x90 ? hlock_class+0x32/0xb0 ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? bloqueo_adquirir.parte.0+0xf4/0x2a0 ? bloqueo_adquirir+0xc6/0x120 ? _get_xid+0x16/0xd0 [cifs] ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs] cifs_get_smb_ses+0xcdd/0x10a0 [cifs] ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs] ? cifs_get_tcp_session+0xaa0/0xca0 [cifs] cifs_mount_get_session+0x8a/0x210 [cifs] dfs_mount_share+0x1b0/0x11d0 [cifs] ? __pfx___lock_acquire+0x10/0x10 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? bloqueo_adquirir.parte.0+0xf4/0x2a0 ? bloqueo_retenido_encontrar+0x8a/0xa0 ? clase_bloqueo_h+0x32/0xb0 ? liberaci\u00f3n_bloqueo+0x203/0x5d0 montaje_cifs+0xb3/0x3d0 [cifs] ? intento_bloqueo_giro_sin_bloqueo+0xc6/0x120 ? montaje_cifs_pfx+0x10/0x10 [cifs] ? bloqueo_adquirir+0x3f/0x90 ? montaje_nls_encontrar+0x16/0xa0 ? banderas_mnt_actualizar_smb3+0x372/0x3b0 [cifs] cifs_smb3_hacer_montar+0x1e2/0xc80 [cifs] ? __pfx_vfs_parse_fs_string+0x10/0x10 ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs] smb3_get_tree+0x1bf/0x330 [cifs] vfs_get_tree+0x4a/0x160 path_mount+0x3c1/0xfb0 ? kasan_quarantine_put+0xc7/0x1d0 ? __pfx_path_mount+0x10/0x10 ? kmem_cache_free+0x118/0x3e0 ? user_path_at+0x74/0xa0 __x64_sys_mount+0x1a6/0x1e0 ? __pfx___x64_sys_mount+0x10/0x10 ? marcar_bloqueos_retenidos+0x1a/0x90 hacer_llamada_al_sistema_64+0xbb/0x1d0 entrada_SYSCALL_64_despu\u00e9s_de_hwframe+0x77/0x7f"
    }
  ],
  "id": "CVE-2024-53185",
  "lastModified": "2025-02-10T18:15:28.080",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-27T14:15:25.973",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/22127c1dc04364cda3da812161e70921e6c3c0af"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/44c495818d9c4a741ab9e6bc9203ccc9f55f6f40"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/46f8e25926817272ec8d5bfbd003569bdeb9a8c8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9b8904b53b5ace0519c74cd89fc3ca763f3856d4"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.