CVE-2024-26608 in Linux
요약
\~에 의해 VulDB • 2026. 06. 29.
Based on the KASAN report, there is an out-of-bounds access occurring at `ksmbd_nl_policy + 0x100`. The memory dump shows redzones (`f9`) indicating a use-after-free or buffer overflow scenario where the code is accessing memory beyond the allocated bounds of the policy array.
The fix described in your prompt suggests that `KSMBD_EVENT_MAX` was likely used as an index into this policy array, but it exceeded the valid range because other netlink families typically define their max constant as `(last_valid_event - 1)` or similar boundary checks rely on strict inequality (`< KSMBD_EVENT_MAX`). If `KSMBD_EVENT_MAX` represented the *count* of events (e.g., indices 0 to N-1), using it directly as an index would access index N, which is out of bounds for a size-N array.
Here is how you should implement this fix in the kernel source code:
### Step 1: Define `__KSMBD_EVENT_MAX` and adjust `KSMBD_EVENT_MAX`
In the header file where netlink event types are defined (likely `include/uapi/linux/ksmbd_netlink.h` or similar), you need to introduce a placeholder for the maximum valid index.
```c /* In include/uapi/linux/ksmbd_netlink.h */
enum ksmbd_nl_event {
KSMBD_EVENT_NONE = 0, /* ... existing events ... */ KSMBD_EVENT_LAST, // This is typically the last actual event type __KSMBD_EVENT_MAX, // Placeholder for array sizing/bounds checking };
/* * According to netlink conventions and other families: * KSMBD_EVENT_MAX should be equal to __KSMBD_EVENT_MAX - 1 if it's used as a bound. * However, the prompt says "let KSMBD_EVENT_MAX to be its original value - 1". * This implies that previously KSMBD_EVENT_MAX might have been defined as * (last_event_index + 1) which caused off-by-one errors when used in loops or array accesses. */
#define KSMBD_EVENT_MAX (__KSMBD_EVENT_MAX - 1) ```
**Wait**, let's re-read the prompt carefully: *"add a placeholder named __KSMBD_EVENT_MAX and let KSMBD_EVENT_MAX to be its original value - 1 according to what other netlink families do."*
This usually means: 1. The last valid event index is `N`. 2. Previously, `KSMBD_EVENT_MAX` might have been defined as `N+1` (the count). 3. Now, we define `__KSMBD_EVENT_MAX = N + 1` (as a sentinel/placeholder for size checks). 4. And redefine `KSMBD_EVENT_MAX` to be `N` (i.e., `__KSMBD_EVENT_MAX - 1`) so that it represents the *maximum valid index*.
Let's assume the enum looks like this:
```c enum ksmbd_nl_event {
KSMBD_EVENT_NONE = 0, KSMBD_EVENT_CONNECT, KSMBD_EVENT_DISCONNECT, /* ... other events ... */ __KSMBD_EVENT_MAX, // This will be the count of events (e.g., if last is index 5, this is 6) };
/* * Fix: Make KSMBD_EVENT_MAX represent the maximum valid INDEX. * If there are N events indexed 0..N-1, then __KSMBD_EVENT_MAX = N. * We want KSMBD_EVENT_MAX to be N-1 for use as a bound in < comparisons or array indexing. */
#define KSMBD_EVENT_MAX (__KSMBD_EVENT_MAX - 1) ```
### Step 2: Update sites that refer to `KSMBD_EVENT_MAX`
You need to find all places where `KSMBD_EVENT_MAX` is used as an **index** or in a loop bound and ensure they are correct. The prompt says "change two sites". These likely involve array accesses like `ksmbd_nl_policy[KSMBD_EVENT_MAX]`.
#### Site 1: Policy Array Definition/Access If you have an array defined based on event types, such as:
```c static const struct nla_policy ksmbd_nl_policy[__KSMBD_EVENT_MAX];
// Or previously: static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX + 1];
```
Ensure the size of the policy array is `__KSMBD_EVENT_MAX` (the count), but when accessing, use valid indices `< KSMBD_EVENT_MAX`.
However, KASAN reported access at `ksmbd_nl_policy+0x1
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.