2024-11-19 18:01:00 +00:00
|
|
|
{
|
2024-12-29 03:20:19 +00:00
|
|
|
"data_version": "4.0",
|
2024-11-19 18:01:00 +00:00
|
|
|
"data_type": "CVE",
|
|
|
|
|
"data_format": "MITRE",
|
|
|
|
|
"CVE_data_meta": {
|
|
|
|
|
"ID": "CVE-2024-53185",
|
2024-12-29 03:20:19 +00:00
|
|
|
"ASSIGNER": "cve@kernel.org",
|
|
|
|
|
"STATE": "PUBLIC"
|
2024-11-19 18:01:00 +00:00
|
|
|
},
|
|
|
|
|
"description": {
|
|
|
|
|
"description_data": [
|
|
|
|
|
{
|
|
|
|
|
"lang": "eng",
|
2024-12-29 03:20:19 +00:00
|
|
|
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix NULL ptr deref in crypto_aead_setkey()\n\nNeither SMB3.0 or SMB3.02 supports encryption negotiate context, so\nwhen SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response,\nthe client uses AES-128-CCM as the default cipher. See MS-SMB2\n3.3.5.4.\n\nCommit b0abcd65ec54 (\"smb: client: fix UAF in async decryption\") added\na @server->cipher_type check to conditionally call\nsmb3_crypto_aead_allocate(), but that check would always be false as\n@server->cipher_type is unset for SMB3.02.\n\nFix the following KASAN splat by setting @server->cipher_type for\nSMB3.02 as well.\n\nmount.cifs //srv/share /mnt -o vers=3.02,seal,...\n\nBUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130\nRead of size 8 at addr 0000000000000020 by task mount.cifs/1095\nCPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41\n04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x5d/0x80\n ? crypto_aead_setkey+0x2c/0x130\n kasan_report+0xda/0x110\n ? crypto_aead_setkey+0x2c/0x130\n crypto_aead_setkey+0x2c/0x130\n crypt_message+0x258/0xec0 [cifs]\n ? __asan_memset+0x23/0x50\n ? __pfx_crypt_message+0x10/0x10 [cifs]\n ? mark_lock+0xb0/0x6a0\n ? hlock_class+0x32/0xb0\n ? mark_lock+0xb0/0x6a0\n smb3_init_transform_rq+0x352/0x3f0 [cifs]\n ? lock_acquire.part.0+0xf4/0x2a0\n smb_send_rqst+0x144/0x230 [cifs]\n ? __pfx_smb_send_rqst+0x10/0x10 [cifs]\n ? hlock_class+0x32/0xb0\n ? smb2_setup_request+0x225/0x3a0 [cifs]\n ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs]\n compound_send_recv+0x59b/0x1140 [cifs]\n ? __pfx_compound_send_recv+0x10/0x10 [cifs]\n ? __create_object+0x5e/0x90\n ? hlock_class+0x32/0xb0\n ? do_raw_spin_unlock+0x9a/0xf0\n cifs_send_recv+0x23/0x30 [cifs]\n SMB2_tcon+0x3ec/0xb30 [cifs]\n ? __pfx_SMB2_tcon+0x10/0x10 [cifs]\n ? lock_acquire.part.0+0xf4/0x2a0\n ? __pfx_lock_release+0x10/0x10\n ? do_raw_spin_trylock+0xc6/0x120\n ? lock_acquire+0x3f/0x90\n ? _get_xid+0x16/0xd0 [cifs]\n ? __pfx_SMB2_tcon+0x10/0x10 [cifs]\n ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs]\n cifs_get_smb_ses+0xcdd/0x10a0 [cifs]\n ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs]\n ? cifs_get_tcp_session+0xaa0/0xca0 [cifs]\n cifs_mount_get_session+0x8a/0x210 [cifs]\n dfs_mount_share+0x1b0/0x11d0 [cifs]\n ? __pfx___lock_acquire+0x10/0x10\n ? __pfx_dfs_mount_share+0x10/0x10 [cifs]\n ? lock_acquire.part.0+0xf4/0x2a0\n ? find_held_lock+0x8a/0xa0\n ? hlock_class+0x32/0xb0\n ? lock_release+0x203/0x5d0\n cifs_mount+0xb3/0x3d0 [cifs]\n ? do_raw_spin_trylock+0xc6/0x120\n ? __pfx_cifs_mount+0x10/0x10 [cifs]\n ? lock_acquire+0x3f/0x90\n ? find_nls+0x16/0xa0\n ? smb3_update_mnt_flags+0x372/0x3b0 [cifs]\n cifs_smb3_do_mount+0x1e2/0xc80 [cifs]\n ? __pfx_vfs_parse_fs_string+0x10/0x10\n ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs]\n smb3_get_tree+0x1bf/0x330 [cifs]\n vfs_get_tree+0x4a/0x160\n path_mount+0x3c1/0xfb0\n ? kasan_quarantine_put+0xc7/0x1d0\n ? __pfx_path_mount+0x10/0x10\n ? kmem_cache_free+0x118/0x3e0\n ? user_path_at+0x74/0xa0\n __x64_sys_mount+0x1a6/0x1e0\n ? __pfx___x64_sys_mount+0x10/0x10\n ? mark_held_locks+0x1a/0x90\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
"problemtype": {
|
|
|
|
|
"problemtype_data": [
|
|
|
|
|
{
|
|
|
|
|
"description": [
|
|
|
|
|
{
|
|
|
|
|
"lang": "eng",
|
|
|
|
|
"value": "n/a"
|
|
|
|
|
}
|
|
|
|
|
]
|
2024-11-19 18:01:00 +00:00
|
|
|
}
|
|
|
|
|
]
|
2024-12-29 03:20:19 +00:00
|
|
|
},
|
|
|
|
|
"affects": {
|
|
|
|
|
"vendor": {
|
|
|
|
|
"vendor_data": [
|
|
|
|
|
{
|
|
|
|
|
"vendor_name": "Linux",
|
|
|
|
|
"product": {
|
|
|
|
|
"product_data": [
|
|
|
|
|
{
|
|
|
|
|
"product_name": "Linux",
|
|
|
|
|
"version": {
|
|
|
|
|
"version_data": [
|
2025-02-02 11:00:35 +00:00
|
|
|
{
|
|
|
|
|
"version_affected": "<",
|
|
|
|
|
"version_name": "bce966530fd5542bbb422cb45ecb775f7a1a6bc3",
|
|
|
|
|
"version_value": "44c495818d9c4a741ab9e6bc9203ccc9f55f6f40"
|
|
|
|
|
},
|
2024-12-29 03:20:19 +00:00
|
|
|
{
|
|
|
|
|
"version_affected": "<",
|
|
|
|
|
"version_name": "0809fb86ad13b29e1d6d491364fc7ea4fb545995",
|
|
|
|
|
"version_value": "46f8e25926817272ec8d5bfbd003569bdeb9a8c8"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"version_affected": "<",
|
|
|
|
|
"version_name": "538c26d9bf70c90edc460d18c81008a4e555925a",
|
|
|
|
|
"version_value": "22127c1dc04364cda3da812161e70921e6c3c0af"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"version_affected": "<",
|
|
|
|
|
"version_name": "b0abcd65ec545701b8793e12bc27dc98042b151a",
|
|
|
|
|
"version_value": "9b8904b53b5ace0519c74cd89fc3ca763f3856d4"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"version_value": "not down converted",
|
|
|
|
|
"x_cve_json_5_version_data": {
|
|
|
|
|
"versions": [
|
|
|
|
|
{
|
|
|
|
|
"version": "6.12",
|
|
|
|
|
"status": "affected"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"version": "0",
|
|
|
|
|
"lessThan": "6.12",
|
|
|
|
|
"status": "unaffected",
|
|
|
|
|
"versionType": "semver"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"version": "6.6.64",
|
|
|
|
|
"lessThanOrEqual": "6.6.*",
|
|
|
|
|
"status": "unaffected",
|
|
|
|
|
"versionType": "semver"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"version": "6.11.11",
|
|
|
|
|
"lessThanOrEqual": "6.11.*",
|
|
|
|
|
"status": "unaffected",
|
|
|
|
|
"versionType": "semver"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"version": "6.12.2",
|
|
|
|
|
"lessThanOrEqual": "6.12.*",
|
|
|
|
|
"status": "unaffected",
|
|
|
|
|
"versionType": "semver"
|
|
|
|
|
},
|
|
|
|
|
{
|
2025-02-02 11:00:35 +00:00
|
|
|
"version": "6.13",
|
2024-12-29 03:20:19 +00:00
|
|
|
"lessThanOrEqual": "*",
|
|
|
|
|
"status": "unaffected",
|
|
|
|
|
"versionType": "original_commit_for_fix"
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
"defaultStatus": "affected"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"references": {
|
|
|
|
|
"reference_data": [
|
2025-02-02 11:00:35 +00:00
|
|
|
{
|
|
|
|
|
"url": "https://git.kernel.org/stable/c/44c495818d9c4a741ab9e6bc9203ccc9f55f6f40",
|
|
|
|
|
"refsource": "MISC",
|
|
|
|
|
"name": "https://git.kernel.org/stable/c/44c495818d9c4a741ab9e6bc9203ccc9f55f6f40"
|
|
|
|
|
},
|
2024-12-29 03:20:19 +00:00
|
|
|
{
|
|
|
|
|
"url": "https://git.kernel.org/stable/c/46f8e25926817272ec8d5bfbd003569bdeb9a8c8",
|
|
|
|
|
"refsource": "MISC",
|
|
|
|
|
"name": "https://git.kernel.org/stable/c/46f8e25926817272ec8d5bfbd003569bdeb9a8c8"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"url": "https://git.kernel.org/stable/c/22127c1dc04364cda3da812161e70921e6c3c0af",
|
|
|
|
|
"refsource": "MISC",
|
|
|
|
|
"name": "https://git.kernel.org/stable/c/22127c1dc04364cda3da812161e70921e6c3c0af"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"url": "https://git.kernel.org/stable/c/9b8904b53b5ace0519c74cd89fc3ca763f3856d4",
|
|
|
|
|
"refsource": "MISC",
|
|
|
|
|
"name": "https://git.kernel.org/stable/c/9b8904b53b5ace0519c74cd89fc3ca763f3856d4"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"url": "https://git.kernel.org/stable/c/4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2",
|
|
|
|
|
"refsource": "MISC",
|
|
|
|
|
"name": "https://git.kernel.org/stable/c/4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
"generator": {
|
|
|
|
|
"engine": "bippy-5f407fcff5a0"
|
2024-11-19 18:01:00 +00:00
|
|
|
}
|
|
|
|
|
}
|
