Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size validation could be skipped. if request size is smaller than sizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in smb2_allocate_rsp_buf(). This patch allocate response buffer after decrypting transform request. smb3_decrypt_req() will validate transform request size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().
Product status
0626e6641f6b467447c81dd7678a69c66f7746cf (git) before da21401372607c49972ea87a6edaafb36a17c325
0626e6641f6b467447c81dd7678a69c66f7746cf (git) before b80ba648714e6d790d69610cf14656be222d0248
0626e6641f6b467447c81dd7678a69c66f7746cf (git) before 3160d9734453a40db248487f8204830879c207f1
0626e6641f6b467447c81dd7678a69c66f7746cf (git) before 0977f89722eceba165700ea384f075143f012085
0626e6641f6b467447c81dd7678a69c66f7746cf (git) before c119f4ede3fa90a9463f50831761c28f989bfb20
5.15
Any version before 5.15
5.15.159 (semver)
6.1.88 (semver)
6.6.29 (semver)
6.8.8 (semver)
6.9 (original_commit_for_fix)
References
git.kernel.org/...c/da21401372607c49972ea87a6edaafb36a17c325
git.kernel.org/...c/b80ba648714e6d790d69610cf14656be222d0248
git.kernel.org/...c/3160d9734453a40db248487f8204830879c207f1
git.kernel.org/...c/0977f89722eceba165700ea384f075143f012085
git.kernel.org/...c/c119f4ede3fa90a9463f50831761c28f989bfb20
lists.fedoraproject.org/...DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/
lists.fedoraproject.org/...4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/
lists.fedoraproject.org/...GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/
git.kernel.org/...c/da21401372607c49972ea87a6edaafb36a17c325
git.kernel.org/...c/b80ba648714e6d790d69610cf14656be222d0248
git.kernel.org/...c/3160d9734453a40db248487f8204830879c207f1
git.kernel.org/...c/0977f89722eceba165700ea384f075143f012085
git.kernel.org/...c/c119f4ede3fa90a9463f50831761c28f989bfb20
