We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-53185

smb: client: fix NULL ptr deref in crypto_aead_setkey()



Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix NULL ptr deref in crypto_aead_setkey() Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response, the client uses AES-128-CCM as the default cipher. See MS-SMB2 3.3.5.4. Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added a @server->cipher_type check to conditionally call smb3_crypto_aead_allocate(), but that check would always be false as @server->cipher_type is unset for SMB3.02. Fix the following KASAN splat by setting @server->cipher_type for SMB3.02 as well. mount.cifs //srv/share /mnt -o vers=3.02,seal,... BUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130 Read of size 8 at addr 0000000000000020 by task mount.cifs/1095 CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? crypto_aead_setkey+0x2c/0x130 kasan_report+0xda/0x110 ? crypto_aead_setkey+0x2c/0x130 crypto_aead_setkey+0x2c/0x130 crypt_message+0x258/0xec0 [cifs] ? __asan_memset+0x23/0x50 ? __pfx_crypt_message+0x10/0x10 [cifs] ? mark_lock+0xb0/0x6a0 ? hlock_class+0x32/0xb0 ? mark_lock+0xb0/0x6a0 smb3_init_transform_rq+0x352/0x3f0 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 smb_send_rqst+0x144/0x230 [cifs] ? __pfx_smb_send_rqst+0x10/0x10 [cifs] ? hlock_class+0x32/0xb0 ? smb2_setup_request+0x225/0x3a0 [cifs] ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs] compound_send_recv+0x59b/0x1140 [cifs] ? __pfx_compound_send_recv+0x10/0x10 [cifs] ? __create_object+0x5e/0x90 ? hlock_class+0x32/0xb0 ? do_raw_spin_unlock+0x9a/0xf0 cifs_send_recv+0x23/0x30 [cifs] SMB2_tcon+0x3ec/0xb30 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? __pfx_lock_release+0x10/0x10 ? do_raw_spin_trylock+0xc6/0x120 ? lock_acquire+0x3f/0x90 ? _get_xid+0x16/0xd0 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs] cifs_get_smb_ses+0xcdd/0x10a0 [cifs] ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs] ? cifs_get_tcp_session+0xaa0/0xca0 [cifs] cifs_mount_get_session+0x8a/0x210 [cifs] dfs_mount_share+0x1b0/0x11d0 [cifs] ? __pfx___lock_acquire+0x10/0x10 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? lock_release+0x203/0x5d0 cifs_mount+0xb3/0x3d0 [cifs] ? do_raw_spin_trylock+0xc6/0x120 ? __pfx_cifs_mount+0x10/0x10 [cifs] ? lock_acquire+0x3f/0x90 ? find_nls+0x16/0xa0 ? smb3_update_mnt_flags+0x372/0x3b0 [cifs] cifs_smb3_do_mount+0x1e2/0xc80 [cifs] ? __pfx_vfs_parse_fs_string+0x10/0x10 ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs] smb3_get_tree+0x1bf/0x330 [cifs] vfs_get_tree+0x4a/0x160 path_mount+0x3c1/0xfb0 ? kasan_quarantine_put+0xc7/0x1d0 ? __pfx_path_mount+0x10/0x10 ? kmem_cache_free+0x118/0x3e0 ? user_path_at+0x74/0xa0 __x64_sys_mount+0x1a6/0x1e0 ? __pfx___x64_sys_mount+0x10/0x10 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reserved 2024-11-19 | Published 2024-12-27 | Updated 2025-05-04 | Assigner Linux

Product status

Default status
unaffected

8f14a476abba13144df5434871a7225fd29af633 before 92c5b62879073b489793a067dbe8d4f2728cdcad
affected

ef51c0d544b1518b35364480317ab6d3468f205d before 4a788ebbb10db9da453d52eaf44a41c13dc446df
affected

bce966530fd5542bbb422cb45ecb775f7a1a6bc3 before 44c495818d9c4a741ab9e6bc9203ccc9f55f6f40
affected

0809fb86ad13b29e1d6d491364fc7ea4fb545995 before 46f8e25926817272ec8d5bfbd003569bdeb9a8c8
affected

538c26d9bf70c90edc460d18c81008a4e555925a before 22127c1dc04364cda3da812161e70921e6c3c0af
affected

b0abcd65ec545701b8793e12bc27dc98042b151a before 9b8904b53b5ace0519c74cd89fc3ca763f3856d4
affected

b0abcd65ec545701b8793e12bc27dc98042b151a before 4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2
affected

Default status
affected

6.12
affected

Any version before 6.12
unaffected

6.6.64
unaffected

6.11.11
unaffected

6.12.2
unaffected

6.13
unaffected

References

git.kernel.org/...c/92c5b62879073b489793a067dbe8d4f2728cdcad

git.kernel.org/...c/4a788ebbb10db9da453d52eaf44a41c13dc446df

git.kernel.org/...c/44c495818d9c4a741ab9e6bc9203ccc9f55f6f40

git.kernel.org/...c/46f8e25926817272ec8d5bfbd003569bdeb9a8c8

git.kernel.org/...c/22127c1dc04364cda3da812161e70921e6c3c0af

git.kernel.org/...c/9b8904b53b5ace0519c74cd89fc3ca763f3856d4

git.kernel.org/...c/4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2

cve.org (CVE-2024-53185)

nvd.nist.gov (CVE-2024-53185)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-53185

Support options

Helpdesk Chat, Email, Knowledgebase