**security-research** Public
# Linux Kernel: Out of bounds Read in ksmbd_vfs_stream_read
## Package
## Affected versions
## Patched versions
## Description
### Summary
Ksmbd, the in-kernel SMB server in Linux, utilizes extended attributes to store Alternate Data Streams (ADS) associated with files. Two vulnerabilities exist in the handling of requests for files with ADS when an extremely large offset is provided. The ksmbd_vfs_stream_read function, responsible for reading data from a file with extended attributes (representing ADS), fails to properly validate the provided offset (*pos). This allows an attacker to supply a negative offset, leading to an out-of-bounds read from the stream_buf.
### Severity
Critical – This vulnerability can allow an attacker to remotely read sensitive information from the kernel memory preceding the stream_buf and or a denial of serivce.
### Analysis
“`
static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos, size_t count) { ssize_t v_len; char *stream_buf = NULL; ksmbd_debug(VFS, “read stream data pos : %llu, count : %zdn”, *pos, count); v_len = ksmbd_vfs_getcasexattr(file_mnt_idmap(fp->filp), // (1) fp->filp->f_path.dentry, fp->stream.name, fp->stream.size, &stream_buf); if ((int)v_len