CVE-2024-46795
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
18/09/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ksmbd: unset the binding mark of a reused connection<br />
<br />
Steve French reported null pointer dereference error from sha256 lib.<br />
cifs.ko can send session setup requests on reused connection.<br />
If reused connection is used for binding session, conn->binding can<br />
still remain true and generate_preauth_hash() will not set<br />
sess->Preauth_HashValue and it will be NULL.<br />
It is used as a material to create an encryption key in<br />
ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer<br />
dereference error from crypto_shash_update().<br />
<br />
BUG: kernel NULL pointer dereference, address: 0000000000000000<br />
#PF: supervisor read access in kernel mode<br />
#PF: error_code(0x0000) - not-present page<br />
PGD 0 P4D 0<br />
Oops: 0000 [#1] PREEMPT SMP PTI<br />
CPU: 8 PID: 429254 Comm: kworker/8:39<br />
Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )<br />
Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]<br />
RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]<br />
<br />
? show_regs+0x6d/0x80<br />
? __die+0x24/0x80<br />
? page_fault_oops+0x99/0x1b0<br />
? do_user_addr_fault+0x2ee/0x6b0<br />
? exc_page_fault+0x83/0x1b0<br />
? asm_exc_page_fault+0x27/0x30<br />
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]<br />
? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]<br />
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]<br />
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]<br />
_sha256_update+0x77/0xa0 [sha256_ssse3]<br />
sha256_avx2_update+0x15/0x30 [sha256_ssse3]<br />
crypto_shash_update+0x1e/0x40<br />
hmac_update+0x12/0x20<br />
crypto_shash_update+0x1e/0x40<br />
generate_key+0x234/0x380 [ksmbd]<br />
generate_smb3encryptionkey+0x40/0x1c0 [ksmbd]<br />
ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd]<br />
ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd]<br />
smb2_sess_setup+0x952/0xaa0 [ksmbd]<br />
__process_request+0xa3/0x1d0 [ksmbd]<br />
__handle_ksmbd_work+0x1c4/0x2f0 [ksmbd]<br />
handle_ksmbd_work+0x2d/0xa0 [ksmbd]<br />
process_one_work+0x16c/0x350<br />
worker_thread+0x306/0x440<br />
? __pfx_worker_thread+0x10/0x10<br />
kthread+0xef/0x120<br />
? __pfx_kthread+0x10/0x10<br />
ret_from_fork+0x44/0x70<br />
? __pfx_kthread+0x10/0x10<br />
ret_from_fork_asm+0x1b/0x30<br />
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15 (including) | 5.15.167 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.110 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.51 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.10.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/41bc256da7e47b679df87c7fc7a5b393052b9cce
- https://git.kernel.org/stable/c/4c8496f44f5bb5c06cdef5eb130ab259643392a1
- https://git.kernel.org/stable/c/78c5a6f1f630172b19af4912e755e1da93ef0ab5
- https://git.kernel.org/stable/c/93d54a4b59c4b3d803d20aa645ab5ca71f3b3b02
- https://git.kernel.org/stable/c/9914f1bd61d5e838bb1ab15a71076d37a6db65d1
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html