In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix off-by-8 bounds check in check_wsl_eas()
The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA
name and value, but ea_data sits at offset sizeof(struct
smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp()
later reads ea->ea_data[0..nlen-1] and the value bytes follow at
ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1
+ vlen. Isn't pointer math fun?
The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the
8-byte header is in bounds, but since the last EA is placed within 8
bytes of the end of the response, the name and value bytes are read past
the end of iov.
Fix this mess all up by using ea->ea_data as the base for the bounds
check.
An "untrusted" server can use this to leak up to 8 bytes of kernel heap
into the EA name comparison and influence which WSL xattr the data is
interpreted as.
A bounds check vulnerability in Linux kernel SMB client code allows reading beyond allocated buffer memory when processing extended attributes from untrusted SMB servers. An attacker can leak up to 8 bytes of kernel heap memory through specially crafted EA responses.
ثغرة في فحص الحدود في دالة check_wsl_eas() بعميل SMB في نواة Linux تسمح بقراءة الذاكرة خارج الحدود المخصصة. يمكن لخادم SMB غير موثوق به استخدام هذه الثغرة لتسرب ما يصل إلى 8 بايتات من ذاكرة kernel heap.
A bounds check vulnerability in Linux kernel SMB client code allows reading beyond allocated buffer memory when processing extended attributes from untrusted SMB servers. An attacker can leak up to 8 bytes of kernel heap memory through specially crafted EA responses.
Update Linux kernel to patched version that corrects the bounds check calculation in check_wsl_eas() function to use ea->ea_data as the base for validation instead of ea pointer. Verify the fix ensures pointer arithmetic correctly accounts for the 8-byte offset of ea_data within the smb2_file_full_ea_info structure.
تحديث نواة Linux إلى الإصدار المصحح الذي يصحح حساب فحص الحدود في دالة check_wsl_eas() لاستخدام ea->ea_data كأساس للتحقق بدلاً من مؤشر ea. التحقق من أن الإصلاح يضمن أن حسابات المؤشرات تأخذ في الاعتبار بشكل صحيح إزاحة 8 بايتات من ea_data داخل هيكل smb2_file_full_ea_info.