ghsa-276c-3gx4-x9pr
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix buffer overflow when parsing NFS reparse points
ReparseDataLength is sum of the InodeType size and DataBuffer size. So to get DataBuffer size it is needed to subtract InodeType's size from ReparseDataLength.
Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer at position after the end of the buffer because it does not subtract InodeType size from the length. Fix this problem and correctly subtract variable len.
Member InodeType is present only when reparse buffer is large enough. Check for ReparseDataLength before accessing InodeType to prevent another invalid memory access.
Major and minor rdev values are present also only when reparse buffer is large enough. Check for reparse buffer size before calling reparse_mkdev().
{
"affected": [],
"aliases": [
"CVE-2024-49996"
],
"database_specific": {
"cwe_ids": [
"CWE-120"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:19Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix buffer overflow when parsing NFS reparse points\n\nReparseDataLength is sum of the InodeType size and DataBuffer size.\nSo to get DataBuffer size it is needed to subtract InodeType\u0027s size from\nReparseDataLength.\n\nFunction cifs_strndup_from_utf16() is currentlly accessing buf-\u003eDataBuffer\nat position after the end of the buffer because it does not subtract\nInodeType size from the length. Fix this problem and correctly subtract\nvariable len.\n\nMember InodeType is present only when reparse buffer is large enough. Check\nfor ReparseDataLength before accessing InodeType to prevent another invalid\nmemory access.\n\nMajor and minor rdev values are present also only when reparse buffer is\nlarge enough. Check for reparse buffer size before calling reparse_mkdev().",
"id": "GHSA-276c-3gx4-x9pr",
"modified": "2024-12-14T21:31:33Z",
"published": "2024-10-21T18:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49996"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/01cdddde39b065074fd48f07027757783cbf5b7d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/73b078e3314d4854fd8286f3ba65c860ddd3a3dd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7b222d6cb87077faf56a687a72af1951cf78c8a9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/803b3a39cb096d8718c0aebc03fd19f11c7dc919"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c173d47b69f07cd7ca08efb4e458adbd4725d8e9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6db81c550cea0c73bd72ef55f579991e0e4ba07"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e2a8910af01653c1c268984855629d71fb81f404"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec79e6170bcae8a6036a4b6960f5e7e59a785601"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.