CVE-2024-26608 in Linuxinformazioni

Riassunto

di VulDB • 18/06/2026

Based on the KASAN report and the provided fix description, here is the analysis and the corresponding code changes.

### Analysis

1. **The Bug**: The kernel detected a bad memory access at an address belonging to `ksmbd_nl_policy + 0x100`. The memory dump shows `f9` bytes, which is KASAN's "redzone" pattern indicating that the access is out-of-bounds (specifically, accessing memory just beyond a valid allocation or into a guard zone). 2. **The Cause**: The `ksmbd_nl_policy` array is likely indexed by event types defined by `KSMBD_EVENT_MAX`. If `KSMBD_EVENT_MAX` is defined as the *count* of events (e.g., 5) but the valid indices are `0` to `4`, and the code or policy array size is based on `KSMBD_EVENT_MAX` without proper bounds checking or if the array is sized exactly to `KSMBD_EVENT_MAX` but accessed with an index equal to `KSMBD_EVENT_MAX`, it causes an out-of-bounds read/write. 3. **The Fix**: * Define a placeholder `__KSMBD_EVENT_MAX` that represents the actual number of events (the count). * Define `KSMBD_EVENT_MAX` as `__KSMBD_EVENT_MAX - 1` (or ensure the policy array is sized correctly based on the max valid index). However, the prompt specifically says: *"let KSMBD_EVENT_MAX to be its original value - 1 according to what other netlink families do"*. This implies `KSMBD_EVENT_MAX` should represent the **maximum valid index**, not the count. * Update any code that uses `KSMBD_EVENT_MAX` as a loop bound or array size to use the correct count (likely `__KSMBD_EVENT_MAX` or `KSMBD_EVENT_MAX + 1`).

### Code Changes

Assuming the typical structure of `ksmbd` netlink policy definitions, here are the likely changes needed in the relevant header/source files (e.g., `fs/ksmbd/smb_common.h` or `fs/ksmbd/netlink.c`).

#### 1. Update the Event Enum/Definition

Find the definition of `KSMBD_EVENT_MAX` and adjust it.

**Before (Hypothetical):** ```c enum ksmbd_event_type {
KSMBD_EVENT_NONE = 0, KSMBD_EVENT_CONNECT, KSMBD_EVENT_DISCONNECT, KSMBD_EVENT_CREATE, KSMBD_EVENT_DELETE, KSMBD_EVENT_MAX, // This was likely 5, causing out-of-bounds if used as index }; ```

**After:** ```c enum ksmbd_event_type {
KSMBD_EVENT_NONE = 0, KSMBD_EVENT_CONNECT, KSMBD_EVENT_DISCONNECT, KSMBD_EVENT_CREATE, KSMBD_EVENT_DELETE, __KSMBD_EVENT_MAX, // Placeholder for the count };

#define KSMBD_EVENT_MAX (__KSMBD_EVENT_MAX - 1) ```

#### 2. Update the Netlink Policy Array Size

The `ksmbd_nl_policy` array must be sized to accommodate the maximum valid index. If `KSMBD_EVENT_MAX` is now the max index, the array size should be `KSMBD_EVENT_MAX + 1` or simply `__KSMBD_EVENT_MAX`.

**Before:** ```c static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX + 1] = {
// ... }; ``` *(Note: If the bug is at `+0x100`, it suggests the array might have been sized incorrectly or accessed with an invalid index.)*

**After:** Ensure the array is sized correctly. If `KSMBD_EVENT_MAX` is now the max index, the size should be `KSMBD_EVENT_MAX + 1`.

```c static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX + 1] = {
[KSMBD_EVENT_NONE] = { .type = NLA_U32 },
[KSMBD_EVENT_CONNECT] = { .type = NLA_U32 },
[KSMBD_EVENT_DISCONNECT] = { .type = NLA_U32 },
[KSMBD_EVENT_CREATE] = { .type = NLA_U32 },
[KSMBD_EVENT_DELETE] = { .type = NLA_U32 },
// ... other events }; ```

#### 3. Update Sites Referencing `KSMBD_EVENT_MAX`

Find any loops or checks that use

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Prenotare

19/02/2024

Divulgazione

11/03/2024

Moderazione

accettato

CPE

pronto

EPSS

0.00234

KEV

no

Attività

molto basso

Fonti

Want to stay up to date on a daily basis?

Enable the mail alert feature now!