CVE-2024-50151— smb: client: fix OOBs when building SMB2_IOCTL request
Affected Version Matrix 16
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | e77fe73c7e38c36145825d84cfe385d400aba4fd< 6f0516ef1290da24b85461ed08a0938af7415e49 | affected |
e77fe73c7e38c36145825d84cfe385d400aba4fd< ed31aba8ce93472d9e16f5cff844ae7c94e9601d | affected | ||
e77fe73c7e38c36145825d84cfe385d400aba4fd< e07d05b7f5ad9a503d9cab0afde2ab867bb65470 | affected | ||
e77fe73c7e38c36145825d84cfe385d400aba4fd< 2ef632bfb888d1a14f81c1703817951e0bec5531 | affected | ||
e77fe73c7e38c36145825d84cfe385d400aba4fd< b209c3a0bc3ac172265c7fa8309e5d00654f2510 | affected | ||
e77fe73c7e38c36145825d84cfe385d400aba4fd< fe92ddc1c32d4474e605e3a31a4afcd0e7d765ec | affected | ||
e77fe73c7e38c36145825d84cfe385d400aba4fd< 1ab60323c5201bef25f2a3dc0ccc404d9aca77f1 | affected | ||
5.0 | affected | ||
| … +8 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-50151
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
smb: client: fix OOBs when building SMB2_IOCTL request
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOBs when building SMB2_IOCTL request When using encryption, either enforced by the server or when using 'seal' mount option, the client will squash all compound request buffers down for encryption into a single iov in smb2_set_next_command(). SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the SMB2_IOCTL request in the first iov, and if the user passes an input buffer that is greater than 328 bytes, smb2_set_next_command() will end up writing off the end of @rqst->iov[0].iov_base as shown below: mount.cifs //srv/share /mnt -o ...,seal ln -s $(perl -e "print('a')for 1..1024") /mnt/link BUG: KASAN: slab-out-of-bounds in smb2_set_next_command.cold+0x1d6/0x24c [cifs] Write of size 4116 at addr ffff8881148fcab8 by task ln/859 CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] print_report+0x156/0x4d9 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] ? __virt_addr_valid+0x145/0x310 ? __phys_addr+0x46/0x90 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_report+0xda/0x110 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_check_range+0x10f/0x1f0 __asan_memcpy+0x3c/0x60 smb2_set_next_command.cold+0x1d6/0x24c [cifs] smb2_compound_op+0x238c/0x3840 [cifs] ? kasan_save_track+0x14/0x30 ? kasan_save_free_info+0x3b/0x70 ? vfs_symlink+0x1a1/0x2c0 ? do_symlinkat+0x108/0x1c0 ? __pfx_smb2_compound_op+0x10/0x10 [cifs] ? kmem_cache_free+0x118/0x3e0 ? cifs_get_writable_path+0xeb/0x1a0 [cifs] smb2_get_reparse_inode+0x423/0x540 [cifs] ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? __kmalloc_noprof+0x37c/0x480 ? smb2_create_reparse_symlink+0x257/0x490 [cifs] ? smb2_create_reparse_symlink+0x38f/0x490 [cifs] smb2_create_reparse_symlink+0x38f/0x490 [cifs] ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs] cifs_symlink+0x24f/0x960 [cifs] ? __pfx_make_vfsuid+0x10/0x10 ? __pfx_cifs_symlink+0x10/0x10 [cifs] ? make_vfsgid+0x6b/0xc0 ? generic_permission+0x96/0x2d0 vfs_symlink+0x1a1/0x2c0 do_symlinkat+0x108/0x1c0 ? __pfx_do_symlinkat+0x10/0x10 ? strncpy_from_user+0xaa/0x160 __x64_sys_symlinkat+0xb9/0xf0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08d75c13bb
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于在构建SMB2_IOCTL请求时,超出边界的写入操作。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-50151
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-50151
请登录查看更多情报信息。
Patch · 2
Same Patch Batch · Linux · 2024-11-07 · 34 CVEs total
| CVE-2024-50165 | bpf: Preserve param->string when parsing mount options | |
| CVE-2024-50157 | RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop | |
| CVE-2024-50158 | RDMA/bnxt_re: Fix out of bound check | |
| CVE-2024-50159 | firmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup() | |
| CVE-2024-50160 | ALSA: hda/cs8409: Fix possible NULL dereference | |
| CVE-2024-50161 | bpf: Check the remaining info_cnt before repeating btf fields | |
| CVE-2024-50162 | bpf: devmap: provide rxq after redirect | |
| CVE-2024-50163 | bpf: Make sure internal and UAPI bpf_redirect flags don't overlap | |
| CVE-2024-50164 | bpf: Fix overloading of MEM_UNINIT's meaning | |
| CVE-2024-50156 | drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() | |
| CVE-2024-50166 | fsl/fman: Fix refcount handling of fman-related devices | |
| CVE-2024-50167 | be2net: fix potential memory leak in be_xmit() | |
| CVE-2024-50168 | net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() | |
| CVE-2024-50169 | vsock: Update rx_bytes on read_skb() | |
| CVE-2024-50170 | net: bcmasp: fix potential memory leak in bcmasp_xmit() | |
| CVE-2024-50171 | net: systemport: fix potential memory leak in bcm_sysport_xmit() | |
| CVE-2024-50172 | RDMA/bnxt_re: Fix a possible memory leak | |
| CVE-2024-50139 | KVM: arm64: Fix shift-out-of-bounds bug | |
| CVE-2024-50155 | netdevsim: use cond_resched() in nsim_dev_trap_report_work() | |
| CVE-2024-50154 | tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). |
Showing top 20 of 34 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43502
net/rds: handle zerocopy send cleanup before the message is - CVE-2026-43501
ipv6: rpl: reserve mac_len headroom when recompressed SRH gr - CVE-2026-43498
accel/ivpu: Disallow re-exporting imported GEM objects - CVE-2026-43499
rtmutex: Use waiter::task instead of current in remove_waite - CVE-2026-43497
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-aft
Same vendor: Linux
- CVE-2026-43502
net/rds: handle zerocopy send cleanup before the message is - CVE-2026-43501
ipv6: rpl: reserve mac_len headroom when recompressed SRH gr - CVE-2026-43498
accel/ivpu: Disallow re-exporting imported GEM objects - CVE-2026-43499
rtmutex: Use waiter::task instead of current in remove_waite - CVE-2026-43497
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-aft
V. Comments for CVE-2024-50151
No comments yet