Linux Kernel: Out of bounds Write in ksmbd_vfs_stream_write

Posted on by Ken

**security-research** Public

# Linux Kernel: Out of bounds Write in ksmbd_vfs_stream_write

## Package

## Affected versions

## Patched versions

## Description

### Summary

The ksmbd_vfs_stream_write function, which handles writing data to a file with extended attributes (representing ADS), contains a vulnerability that allows an attacker to write data outside the bounds of the allocated buffer.

### Severity

Critical – This vulnerability can allow an attacker to This could allow them to hijack the control flow of the kernel and execute arbitrary code with kernel privilege and or a denial of serivce.

### Analysis

“`
static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos, size_t count) { char *stream_buf = NULL, *wbuf; struct mnt_idmap *idmap = file_mnt_idmap(fp->filp); size_t size; ssize_t v_len; int err = 0; ksmbd_debug(VFS, “write stream data pos : %llu, count : %zdn”, *pos, count); size = *pos + count; // (1) if (size > XATTR_SIZE_MAX) { size = XATTR_SIZE_MAX; count = (*pos + count) – XATTR_SIZE_MAX; } v_len = ksmbd_vfs_getcasexattr(idmap, fp->filp->f_path.dentry, fp->stream.name, fp->stream.size, &stream_buf); if (v_len 0) memcpy(wbuf, stream_buf, v_len); kvfree(stream_buf); stream_buf = wbuf; } memcpy(&stream_buf[*pos], buf, count); // (2) err = ksmbd_vfs_setxattr(idmap, &fp->filp->f_path, fp->stream.name, (void *)stream_buf, size, 0, true); if (err filp->f_pos = *pos; err = 0; out: kvfree(stream_buf); return err; }
“`

1. **Insufficient Validation**: The calculation of the size variable at (1) (size = *pos + count;) allows for a negative value of *pos.
2. **Out-of-Bounds Write**: The memcpy at (2) uses *pos directly as an offset into stream_buf. If *pos is negative, this results in writing data to memory before the start of the allocated buffer.
3. **Attacker-Controlled Data**: The data being written (buf) comes directly from the user-supplied SMB write request, giving the attacker full control over the contents written out-of-bounds.

### Remediation

The code should be modified to explicitly check for negative values of offset before using it as an offset. This could be a simple check like:

if (offset

Leave a Reply

Your email address will not be published. Required fields are marked *