CVE-2024-26608 in Linux정보

요약

\~에 의해 VulDB • 2026. 06. 29.

Based on the KASAN report, there is an out-of-bounds access occurring at `ksmbd_nl_policy + 0x100`. The memory dump shows redzones (`f9`) indicating a use-after-free or buffer overflow scenario where the code is accessing memory beyond the allocated bounds of the policy array.

The fix described in your prompt suggests that `KSMBD_EVENT_MAX` was likely used as an index into this policy array, but it exceeded the valid range because other netlink families typically define their max constant as `(last_valid_event - 1)` or similar boundary checks rely on strict inequality (`< KSMBD_EVENT_MAX`). If `KSMBD_EVENT_MAX` represented the *count* of events (e.g., indices 0 to N-1), using it directly as an index would access index N, which is out of bounds for a size-N array.

Here is how you should implement this fix in the kernel source code:

### Step 1: Define `__KSMBD_EVENT_MAX` and adjust `KSMBD_EVENT_MAX`

In the header file where netlink event types are defined (likely `include/uapi/linux/ksmbd_netlink.h` or similar), you need to introduce a placeholder for the maximum valid index.

```c /* In include/uapi/linux/ksmbd_netlink.h */

enum ksmbd_nl_event {
KSMBD_EVENT_NONE = 0, /* ... existing events ... */ KSMBD_EVENT_LAST, // This is typically the last actual event type __KSMBD_EVENT_MAX, // Placeholder for array sizing/bounds checking };

/* * According to netlink conventions and other families: * KSMBD_EVENT_MAX should be equal to __KSMBD_EVENT_MAX - 1 if it's used as a bound. * However, the prompt says "let KSMBD_EVENT_MAX to be its original value - 1". * This implies that previously KSMBD_EVENT_MAX might have been defined as * (last_event_index + 1) which caused off-by-one errors when used in loops or array accesses. */

#define KSMBD_EVENT_MAX (__KSMBD_EVENT_MAX - 1) ```

**Wait**, let's re-read the prompt carefully: *"add a placeholder named __KSMBD_EVENT_MAX and let KSMBD_EVENT_MAX to be its original value - 1 according to what other netlink families do."*

This usually means: 1. The last valid event index is `N`. 2. Previously, `KSMBD_EVENT_MAX` might have been defined as `N+1` (the count). 3. Now, we define `__KSMBD_EVENT_MAX = N + 1` (as a sentinel/placeholder for size checks). 4. And redefine `KSMBD_EVENT_MAX` to be `N` (i.e., `__KSMBD_EVENT_MAX - 1`) so that it represents the *maximum valid index*.

Let's assume the enum looks like this:

```c enum ksmbd_nl_event {
KSMBD_EVENT_NONE = 0, KSMBD_EVENT_CONNECT, KSMBD_EVENT_DISCONNECT, /* ... other events ... */ __KSMBD_EVENT_MAX, // This will be the count of events (e.g., if last is index 5, this is 6) };

/* * Fix: Make KSMBD_EVENT_MAX represent the maximum valid INDEX. * If there are N events indexed 0..N-1, then __KSMBD_EVENT_MAX = N. * We want KSMBD_EVENT_MAX to be N-1 for use as a bound in < comparisons or array indexing. */

#define KSMBD_EVENT_MAX (__KSMBD_EVENT_MAX - 1) ```

### Step 2: Update sites that refer to `KSMBD_EVENT_MAX`

You need to find all places where `KSMBD_EVENT_MAX` is used as an **index** or in a loop bound and ensure they are correct. The prompt says "change two sites". These likely involve array accesses like `ksmbd_nl_policy[KSMBD_EVENT_MAX]`.

#### Site 1: Policy Array Definition/Access If you have an array defined based on event types, such as:

```c static const struct nla_policy ksmbd_nl_policy[__KSMBD_EVENT_MAX];
// Or previously: static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX + 1];
```

Ensure the size of the policy array is `__KSMBD_EVENT_MAX` (the count), but when accessing, use valid indices `< KSMBD_EVENT_MAX`.

However, KASAN reported access at `ksmbd_nl_policy+0x1

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

출처

Interested in the pricing of exploits?

See the underground prices here!