| Message ID | 20231127225004.615336-1-cengiz.can@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-32252 | expand |
On 27.11.23 23:50, Cengiz Can wrote: > [Impact] > A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB > server. The specific flaw exists within the handling of SMB2_LOGOFF commands. > The issue results from the lack of proper validation of a pointer prior to > accessing it. An attacker can leverage this vulnerability to create a > denial-of-service condition on the system. > > [Fix] > In addition to the fix commit, two other commits were required. > > They required some careful context adjustments. > > [Test case] > Compile, boot and ksmbd-tools (upstream version) tested. > > Please do note that in our shipped configurations, ksmbd-tools is not provided > by default. Nor its use is encouraged. > > Plus, our ksmbd-tools package version in Jammy is not in sync with the kernel > side API so many operations like `ksmbd.addshare` fails to parse cli arguments. > > Test steps: > ``` > # > # Get latest ksmbd-tools from upstream > # > > sudo apt install -y automake libtool-dev libkrb5-dev libkrb5-3 \ > pkg-config libglib2.0-dev libnl-genl-3-dev libnl-3-dev > git clone https://github.com/cifsd-team/ksmbd-tools.git > cd ksmbd-tools/ > ./autogen.sh > ./configure --with-rundir=/run > make -j$(nproc) > sudo make install > > # > # Test a few, very basic set of operations > # > mkdir -p /home/ubuntu/test_share > sudo ksmbd.adduser --add ubuntu --password=ksmbdtest > sudo ksmbd.addshare --add \ > --option "path = /home/ubuntu/test_share" \ > --option 'read only = no' \ > --option "force user = ubuntu" \ > --option "force group = ubuntu" \ > test_share > sudo modprobe ksmbd > sudo ksmbd.mountd > sudo mount -o username=ubuntu,password=ksmbdtest //127.0.0.1/test_share /mnt > echo -n ABC123 | tee /home/ubuntu/test_share/data > test "$(cat /mnt/data)" = "ABC123" && echo "OK" || echo "FAIL" > cp /home/ubuntu/test_share/{data,data2} > sudo rm /mnt/data > mv /home/ubuntu/test_share/{data2,data3} > test "$(cat /mnt/data3)" = "ABC123" && echo "OK" || echo "FAIL" > sudo ksmbd.control --shutdown > sudo ksmbd.addshare --delete test_share > sudo ksmbd.adduser --delete ubuntu > sudo umount /mnt > sudo modprobe -r ksmbd > ``` > > [Where things could go wrong] > Since the ksmbd is still experimental, lots of things can go wrong. > > Dawei Li (1): > ksmbd: Implements sess->ksmbd_chann_list as xarray > > Namjae Jeon (1): > ksmbd: fix racy issue from session setup and logoff > > Yufan Chen (1): > ksmbd: add smb-direct shutdown > > fs/ksmbd/connection.c | 23 +++++--- > fs/ksmbd/connection.h | 40 ++++++++------ > fs/ksmbd/mgmt/user_session.c | 62 +++++++++------------ > fs/ksmbd/mgmt/user_session.h | 4 +- > fs/ksmbd/server.c | 3 +- > fs/ksmbd/smb2pdu.c | 103 +++++++++++++++++------------------ > fs/ksmbd/transport_rdma.c | 10 ++++ > fs/ksmbd/transport_tcp.c | 2 +- > 8 files changed, 127 insertions(+), 120 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On Tue, Nov 28, 2023 at 01:50:01AM +0300, Cengiz Can wrote: > [Impact] > A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB > server. The specific flaw exists within the handling of SMB2_LOGOFF commands. > The issue results from the lack of proper validation of a pointer prior to > accessing it. An attacker can leverage this vulnerability to create a > denial-of-service condition on the system. > > [Fix] > In addition to the fix commit, two other commits were required. > > They required some careful context adjustments. > > [Test case] > Compile, boot and ksmbd-tools (upstream version) tested. > > Please do note that in our shipped configurations, ksmbd-tools is not provided > by default. Nor its use is encouraged. > > Plus, our ksmbd-tools package version in Jammy is not in sync with the kernel > side API so many operations like `ksmbd.addshare` fails to parse cli arguments. > > Test steps: > ``` > # > # Get latest ksmbd-tools from upstream > # > > sudo apt install -y automake libtool-dev libkrb5-dev libkrb5-3 \ > pkg-config libglib2.0-dev libnl-genl-3-dev libnl-3-dev > git clone https://github.com/cifsd-team/ksmbd-tools.git > cd ksmbd-tools/ > ./autogen.sh > ./configure --with-rundir=/run > make -j$(nproc) > sudo make install > > # > # Test a few, very basic set of operations > # > mkdir -p /home/ubuntu/test_share > sudo ksmbd.adduser --add ubuntu --password=ksmbdtest > sudo ksmbd.addshare --add \ > --option "path = /home/ubuntu/test_share" \ > --option 'read only = no' \ > --option "force user = ubuntu" \ > --option "force group = ubuntu" \ > test_share > sudo modprobe ksmbd > sudo ksmbd.mountd > sudo mount -o username=ubuntu,password=ksmbdtest //127.0.0.1/test_share /mnt > echo -n ABC123 | tee /home/ubuntu/test_share/data > test "$(cat /mnt/data)" = "ABC123" && echo "OK" || echo "FAIL" > cp /home/ubuntu/test_share/{data,data2} > sudo rm /mnt/data > mv /home/ubuntu/test_share/{data2,data3} > test "$(cat /mnt/data3)" = "ABC123" && echo "OK" || echo "FAIL" > sudo ksmbd.control --shutdown > sudo ksmbd.addshare --delete test_share > sudo ksmbd.adduser --delete ubuntu > sudo umount /mnt > sudo modprobe -r ksmbd > ``` > > [Where things could go wrong] > Since the ksmbd is still experimental, lots of things can go wrong. > > Dawei Li (1): > ksmbd: Implements sess->ksmbd_chann_list as xarray > > Namjae Jeon (1): > ksmbd: fix racy issue from session setup and logoff > > Yufan Chen (1): > ksmbd: add smb-direct shutdown > > fs/ksmbd/connection.c | 23 +++++--- > fs/ksmbd/connection.h | 40 ++++++++------ > fs/ksmbd/mgmt/user_session.c | 62 +++++++++------------ > fs/ksmbd/mgmt/user_session.h | 4 +- > fs/ksmbd/server.c | 3 +- > fs/ksmbd/smb2pdu.c | 103 +++++++++++++++++------------------ > fs/ksmbd/transport_rdma.c | 10 ++++ > fs/ksmbd/transport_tcp.c | 2 +- > 8 files changed, 127 insertions(+), 120 deletions(-) > > -- > 2.40.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Acked-by: Manuel Diewald <manuel.diewald@canonical.com>
On 27.11.23 23:50, Cengiz Can wrote: > [Impact] > A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB > server. The specific flaw exists within the handling of SMB2_LOGOFF commands. > The issue results from the lack of proper validation of a pointer prior to > accessing it. An attacker can leverage this vulnerability to create a > denial-of-service condition on the system. > > [Fix] > In addition to the fix commit, two other commits were required. > > They required some careful context adjustments. > > [Test case] > Compile, boot and ksmbd-tools (upstream version) tested. > > Please do note that in our shipped configurations, ksmbd-tools is not provided > by default. Nor its use is encouraged. > > Plus, our ksmbd-tools package version in Jammy is not in sync with the kernel > side API so many operations like `ksmbd.addshare` fails to parse cli arguments. > > Test steps: > ``` > # > # Get latest ksmbd-tools from upstream > # > > sudo apt install -y automake libtool-dev libkrb5-dev libkrb5-3 \ > pkg-config libglib2.0-dev libnl-genl-3-dev libnl-3-dev > git clone https://github.com/cifsd-team/ksmbd-tools.git > cd ksmbd-tools/ > ./autogen.sh > ./configure --with-rundir=/run > make -j$(nproc) > sudo make install > > # > # Test a few, very basic set of operations > # > mkdir -p /home/ubuntu/test_share > sudo ksmbd.adduser --add ubuntu --password=ksmbdtest > sudo ksmbd.addshare --add \ > --option "path = /home/ubuntu/test_share" \ > --option 'read only = no' \ > --option "force user = ubuntu" \ > --option "force group = ubuntu" \ > test_share > sudo modprobe ksmbd > sudo ksmbd.mountd > sudo mount -o username=ubuntu,password=ksmbdtest //127.0.0.1/test_share /mnt > echo -n ABC123 | tee /home/ubuntu/test_share/data > test "$(cat /mnt/data)" = "ABC123" && echo "OK" || echo "FAIL" > cp /home/ubuntu/test_share/{data,data2} > sudo rm /mnt/data > mv /home/ubuntu/test_share/{data2,data3} > test "$(cat /mnt/data3)" = "ABC123" && echo "OK" || echo "FAIL" > sudo ksmbd.control --shutdown > sudo ksmbd.addshare --delete test_share > sudo ksmbd.adduser --delete ubuntu > sudo umount /mnt > sudo modprobe -r ksmbd > ``` > > [Where things could go wrong] > Since the ksmbd is still experimental, lots of things can go wrong. > > Dawei Li (1): > ksmbd: Implements sess->ksmbd_chann_list as xarray > > Namjae Jeon (1): > ksmbd: fix racy issue from session setup and logoff > > Yufan Chen (1): > ksmbd: add smb-direct shutdown > > fs/ksmbd/connection.c | 23 +++++--- > fs/ksmbd/connection.h | 40 ++++++++------ > fs/ksmbd/mgmt/user_session.c | 62 +++++++++------------ > fs/ksmbd/mgmt/user_session.h | 4 +- > fs/ksmbd/server.c | 3 +- > fs/ksmbd/smb2pdu.c | 103 +++++++++++++++++------------------ > fs/ksmbd/transport_rdma.c | 10 ++++ > fs/ksmbd/transport_tcp.c | 2 +- > 8 files changed, 127 insertions(+), 120 deletions(-) > Applied to jammy:linux/master-next. Thanks. -Stefan
[Impact] A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_LOGOFF commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. [Fix] In addition to the fix commit, two other commits were required. They required some careful context adjustments. [Test case] Compile, boot and ksmbd-tools (upstream version) tested. Please do note that in our shipped configurations, ksmbd-tools is not provided by default. Nor its use is encouraged. Plus, our ksmbd-tools package version in Jammy is not in sync with the kernel side API so many operations like `ksmbd.addshare` fails to parse cli arguments. Test steps: ``` # # Get latest ksmbd-tools from upstream # sudo apt install -y automake libtool-dev libkrb5-dev libkrb5-3 \ pkg-config libglib2.0-dev libnl-genl-3-dev libnl-3-dev git clone https://github.com/cifsd-team/ksmbd-tools.git cd ksmbd-tools/ ./autogen.sh ./configure --with-rundir=/run make -j$(nproc) sudo make install # # Test a few, very basic set of operations # mkdir -p /home/ubuntu/test_share sudo ksmbd.adduser --add ubuntu --password=ksmbdtest sudo ksmbd.addshare --add \ --option "path = /home/ubuntu/test_share" \ --option 'read only = no' \ --option "force user = ubuntu" \ --option "force group = ubuntu" \ test_share sudo modprobe ksmbd sudo ksmbd.mountd sudo mount -o username=ubuntu,password=ksmbdtest //127.0.0.1/test_share /mnt echo -n ABC123 | tee /home/ubuntu/test_share/data test "$(cat /mnt/data)" = "ABC123" && echo "OK" || echo "FAIL" cp /home/ubuntu/test_share/{data,data2} sudo rm /mnt/data mv /home/ubuntu/test_share/{data2,data3} test "$(cat /mnt/data3)" = "ABC123" && echo "OK" || echo "FAIL" sudo ksmbd.control --shutdown sudo ksmbd.addshare --delete test_share sudo ksmbd.adduser --delete ubuntu sudo umount /mnt sudo modprobe -r ksmbd ``` [Where things could go wrong] Since the ksmbd is still experimental, lots of things can go wrong. Dawei Li (1): ksmbd: Implements sess->ksmbd_chann_list as xarray Namjae Jeon (1): ksmbd: fix racy issue from session setup and logoff Yufan Chen (1): ksmbd: add smb-direct shutdown fs/ksmbd/connection.c | 23 +++++--- fs/ksmbd/connection.h | 40 ++++++++------ fs/ksmbd/mgmt/user_session.c | 62 +++++++++------------ fs/ksmbd/mgmt/user_session.h | 4 +- fs/ksmbd/server.c | 3 +- fs/ksmbd/smb2pdu.c | 103 +++++++++++++++++------------------ fs/ksmbd/transport_rdma.c | 10 ++++ fs/ksmbd/transport_tcp.c | 2 +- 8 files changed, 127 insertions(+), 120 deletions(-)