CVE-2024-26608 in Linuxinfo

Summary

by MITRE • 03/11/2024

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix global oob in ksmbd_nl_policy

Similar to a reported issue (check the commit b33fb5b801c6 ("net: qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer finds another global out-of-bounds read for policy ksmbd_nl_policy. See bug trace below:

================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]
BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810

CPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline]
print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline]
__nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 __nlmsg_parse include/net/netlink.h:748 [inline]
genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565 genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]
genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdd66a8f359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003 RBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000

The buggy address belongs to the variable: ksmbd_nl_policy+0x100/0xa80

The buggy address belongs to the physical page: page:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9 ^ ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05 ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9 ==================================================================

To fix it, add a placeholder named __KSMBD_EVENT_MAX and let KSMBD_EVENT_MAX to be its original value - 1 according to what other netlink families do. Also change two sites that refer the KSMBD_EVENT_MAX to correct value.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 06/19/2025

The vulnerability described in CVE-2024-26608 affects the Linux kernel's ksmbd subsystem, specifically within the netlink policy handling mechanism. This issue manifests as a global out-of-bounds read, which occurs when the kernel processes netlink messages through the ksmbd_nl_policy structure. The flaw is classified as a memory safety issue that allows for unauthorized access to memory regions beyond the intended bounds, potentially leading to information disclosure or system instability. The vulnerability was identified through fuzzing activities and is reminiscent of a previously reported issue in the Qualcomm rmnet driver, indicating a pattern of similar flaws in netlink policy implementations.

The technical root cause of this vulnerability lies in the improper validation of netlink attributes within the ksmbd subsystem. When processing incoming netlink messages, the kernel's attribute validation function __nla_validate_parse attempts to read beyond the allocated bounds of the ksmbd_nl_policy structure. The KASAN (Kernel Address Sanitizer) report clearly indicates that the out-of-bounds read occurs at address fffffff8f24b100, which belongs to the ksmbd_nl_policy variable. This memory access violation happens during the parsing of netlink message attributes, where the kernel fails to properly enforce bounds checking on the policy structure. The access pattern suggests that the kernel attempts to read a single byte from an address that extends beyond the legitimate memory boundaries of the policy array.

The operational impact of this vulnerability extends beyond simple memory corruption, as it represents a potential vector for privilege escalation or information leakage within the kernel space. The flaw allows for unauthorized memory access that could expose sensitive kernel data or potentially be leveraged to execute arbitrary code within kernel context. This type of vulnerability directly impacts the integrity and confidentiality of the system, as it enables attackers to read memory contents that they should not have access to. The vulnerability affects systems running Linux kernels with ksmbd support, particularly those utilizing netlink communication for SMB protocol handling, and could be exploited by malicious actors with local access to the system.

Mitigation strategies for CVE-2024-26608 involve implementing proper bounds checking within the netlink policy validation mechanism. The fix requires adding a placeholder constant __KSMBD_EVENT_MAX and adjusting the KSMBD_EVENT_MAX definition to be one less than its original value, following established patterns used by other netlink families in the kernel. This approach ensures that the policy array bounds are properly enforced during attribute parsing operations. Additionally, the fix involves correcting two specific code locations that reference the KSMBD_EVENT_MAX constant to use the adjusted value. The solution aligns with common kernel security practices for preventing out-of-bounds memory accesses and follows the ATT&CK framework's approach to kernel-level privilege escalation techniques. The vulnerability is categorized under CWE-129 as an Improper Validation of Array Index, and the fix addresses the underlying memory safety issue through proper bounds enforcement. System administrators should apply the relevant kernel patches as soon as they become available to protect against exploitation of this vulnerability.

Reservation

02/19/2024

Disclosure

03/11/2024

Moderation

accepted

CPE

ready

EPSS

0.00234

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!