CVE-2022-49271
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
26/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
cifs: prevent bad output lengths in smb2_ioctl_query_info()<br />
<br />
When calling smb2_ioctl_query_info() with<br />
smb_query_info::flags=PASSTHRU_FSCTL and<br />
smb_query_info::output_buffer_length=0, the following would return<br />
0x10<br />
<br />
buffer = memdup_user(arg + sizeof(struct smb_query_info),<br />
qi.output_buffer_length);<br />
if (IS_ERR(buffer)) {<br />
kfree(vars);<br />
return PTR_ERR(buffer);<br />
}<br />
<br />
rather than a valid pointer thus making IS_ERR() check fail. This<br />
would then cause a NULL ptr deference in @buffer when accessing it<br />
later in smb2_ioctl_query_ioctl(). While at it, prevent having a<br />
@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO<br />
FileEndOfFileInformation requests when<br />
smb_query_info::flags=PASSTHRU_SET_INFO.<br />
<br />
Here is a small C reproducer which triggers a NULL ptr in @buffer when<br />
passing an invalid smb_query_info::flags<br />
<br />
#include <br />
#include <br />
#include <br />
#include <br />
#include <br />
#include <br />
<br />
#define die(s) perror(s), exit(1)<br />
#define QUERY_INFO 0xc018cf07<br />
<br />
int main(int argc, char *argv[])<br />
{<br />
int fd;<br />
<br />
if (argc
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/7529fbee10d82493c5cb109e51788bf74816d1c0
- https://git.kernel.org/stable/c/9963ccea6087268e1275b992dca5d0dd4b938765
- https://git.kernel.org/stable/c/b92e358757b91c2827af112cae9af513f26a3f34
- https://git.kernel.org/stable/c/f143f8334fb9eb2f6c7c15b9da1472d9c965fd84
- https://git.kernel.org/stable/c/fadddfc1dc3c6f79b21cff4a7e9a6c40b84fbc53