APPLIED: [SRU Jammy 0/3] CVE-2023-32252
Stefan Bader
stefan.bader at canonical.com
Tue Nov 28 10:35:50 UTC 2023
On 27.11.23 23:50, Cengiz Can wrote:
> [Impact]
> A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB
> server. The specific flaw exists within the handling of SMB2_LOGOFF commands.
> The issue results from the lack of proper validation of a pointer prior to
> accessing it. An attacker can leverage this vulnerability to create a
> denial-of-service condition on the system.
>
> [Fix]
> In addition to the fix commit, two other commits were required.
>
> They required some careful context adjustments.
>
> [Test case]
> Compile, boot and ksmbd-tools (upstream version) tested.
>
> Please do note that in our shipped configurations, ksmbd-tools is not provided
> by default. Nor its use is encouraged.
>
> Plus, our ksmbd-tools package version in Jammy is not in sync with the kernel
> side API so many operations like `ksmbd.addshare` fails to parse cli arguments.
>
> Test steps:
> ```
> #
> # Get latest ksmbd-tools from upstream
> #
>
> sudo apt install -y automake libtool-dev libkrb5-dev libkrb5-3 \
> pkg-config libglib2.0-dev libnl-genl-3-dev libnl-3-dev
> git clone https://github.com/cifsd-team/ksmbd-tools.git
> cd ksmbd-tools/
> ./autogen.sh
> ./configure --with-rundir=/run
> make -j$(nproc)
> sudo make install
>
> #
> # Test a few, very basic set of operations
> #
> mkdir -p /home/ubuntu/test_share
> sudo ksmbd.adduser --add ubuntu --password=ksmbdtest
> sudo ksmbd.addshare --add \
> --option "path = /home/ubuntu/test_share" \
> --option 'read only = no' \
> --option "force user = ubuntu" \
> --option "force group = ubuntu" \
> test_share
> sudo modprobe ksmbd
> sudo ksmbd.mountd
> sudo mount -o username=ubuntu,password=ksmbdtest //127.0.0.1/test_share /mnt
> echo -n ABC123 | tee /home/ubuntu/test_share/data
> test "$(cat /mnt/data)" = "ABC123" && echo "OK" || echo "FAIL"
> cp /home/ubuntu/test_share/{data,data2}
> sudo rm /mnt/data
> mv /home/ubuntu/test_share/{data2,data3}
> test "$(cat /mnt/data3)" = "ABC123" && echo "OK" || echo "FAIL"
> sudo ksmbd.control --shutdown
> sudo ksmbd.addshare --delete test_share
> sudo ksmbd.adduser --delete ubuntu
> sudo umount /mnt
> sudo modprobe -r ksmbd
> ```
>
> [Where things could go wrong]
> Since the ksmbd is still experimental, lots of things can go wrong.
>
> Dawei Li (1):
> ksmbd: Implements sess->ksmbd_chann_list as xarray
>
> Namjae Jeon (1):
> ksmbd: fix racy issue from session setup and logoff
>
> Yufan Chen (1):
> ksmbd: add smb-direct shutdown
>
> fs/ksmbd/connection.c | 23 +++++---
> fs/ksmbd/connection.h | 40 ++++++++------
> fs/ksmbd/mgmt/user_session.c | 62 +++++++++------------
> fs/ksmbd/mgmt/user_session.h | 4 +-
> fs/ksmbd/server.c | 3 +-
> fs/ksmbd/smb2pdu.c | 103 +++++++++++++++++------------------
> fs/ksmbd/transport_rdma.c | 10 ++++
> fs/ksmbd/transport_tcp.c | 2 +-
> 8 files changed, 127 insertions(+), 120 deletions(-)
>
Applied to jammy:linux/master-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20231128/abbd77d3/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20231128/abbd77d3/attachment-0001.sig>
More information about the kernel-team
mailing list