CVE-2024-26608 in Linux
Riassunto
di VulDB • 18/06/2026
Based on the KASAN report and the provided fix description, here is the analysis and the corresponding code changes.
### Analysis
1. **The Bug**: The kernel detected a bad memory access at an address belonging to `ksmbd_nl_policy + 0x100`. The memory dump shows `f9` bytes, which is KASAN's "redzone" pattern indicating that the access is out-of-bounds (specifically, accessing memory just beyond a valid allocation or into a guard zone). 2. **The Cause**: The `ksmbd_nl_policy` array is likely indexed by event types defined by `KSMBD_EVENT_MAX`. If `KSMBD_EVENT_MAX` is defined as the *count* of events (e.g., 5) but the valid indices are `0` to `4`, and the code or policy array size is based on `KSMBD_EVENT_MAX` without proper bounds checking or if the array is sized exactly to `KSMBD_EVENT_MAX` but accessed with an index equal to `KSMBD_EVENT_MAX`, it causes an out-of-bounds read/write. 3. **The Fix**: * Define a placeholder `__KSMBD_EVENT_MAX` that represents the actual number of events (the count). * Define `KSMBD_EVENT_MAX` as `__KSMBD_EVENT_MAX - 1` (or ensure the policy array is sized correctly based on the max valid index). However, the prompt specifically says: *"let KSMBD_EVENT_MAX to be its original value - 1 according to what other netlink families do"*. This implies `KSMBD_EVENT_MAX` should represent the **maximum valid index**, not the count. * Update any code that uses `KSMBD_EVENT_MAX` as a loop bound or array size to use the correct count (likely `__KSMBD_EVENT_MAX` or `KSMBD_EVENT_MAX + 1`).
### Code Changes
Assuming the typical structure of `ksmbd` netlink policy definitions, here are the likely changes needed in the relevant header/source files (e.g., `fs/ksmbd/smb_common.h` or `fs/ksmbd/netlink.c`).
#### 1. Update the Event Enum/Definition
Find the definition of `KSMBD_EVENT_MAX` and adjust it.
**Before (Hypothetical):** ```c enum ksmbd_event_type {
KSMBD_EVENT_NONE = 0, KSMBD_EVENT_CONNECT, KSMBD_EVENT_DISCONNECT, KSMBD_EVENT_CREATE, KSMBD_EVENT_DELETE, KSMBD_EVENT_MAX, // This was likely 5, causing out-of-bounds if used as index }; ```
**After:** ```c enum ksmbd_event_type {
KSMBD_EVENT_NONE = 0, KSMBD_EVENT_CONNECT, KSMBD_EVENT_DISCONNECT, KSMBD_EVENT_CREATE, KSMBD_EVENT_DELETE, __KSMBD_EVENT_MAX, // Placeholder for the count };
#define KSMBD_EVENT_MAX (__KSMBD_EVENT_MAX - 1) ```
#### 2. Update the Netlink Policy Array Size
The `ksmbd_nl_policy` array must be sized to accommodate the maximum valid index. If `KSMBD_EVENT_MAX` is now the max index, the array size should be `KSMBD_EVENT_MAX + 1` or simply `__KSMBD_EVENT_MAX`.
**Before:** ```c static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX + 1] = {
// ... }; ``` *(Note: If the bug is at `+0x100`, it suggests the array might have been sized incorrectly or accessed with an invalid index.)*
**After:** Ensure the array is sized correctly. If `KSMBD_EVENT_MAX` is now the max index, the size should be `KSMBD_EVENT_MAX + 1`.
```c static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX + 1] = {
[KSMBD_EVENT_NONE] = { .type = NLA_U32 },
[KSMBD_EVENT_CONNECT] = { .type = NLA_U32 },
[KSMBD_EVENT_DISCONNECT] = { .type = NLA_U32 },
[KSMBD_EVENT_CREATE] = { .type = NLA_U32 },
[KSMBD_EVENT_DELETE] = { .type = NLA_U32 },
// ... other events }; ```
#### 3. Update Sites Referencing `KSMBD_EVENT_MAX`
Find any loops or checks that use
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.