FKIE_CVE-2025-38523

Vulnerability from fkie_nvd - Published: 2025-08-16 12:15 - Updated: 2025-11-18 21:53
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: cifs: Fix the smbd_response slab to allow usercopy The handling of received data in the smbdirect client code involves using copy_to_iter() to copy data from the smbd_reponse struct's packet trailer to a folioq buffer provided by netfslib that encapsulates a chunk of pagecache. If, however, CONFIG_HARDENED_USERCOPY=y, this will result in the checks then performed in copy_to_iter() oopsing with something like the following: CIFS: Attempting to mount //172.31.9.1/test CIFS: VFS: RDMA transport established usercopy: Kernel memory exposure attempt detected from SLUB object 'smbd_response_0000000091e24ea1' (offset 81, size 63)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:102! ... RIP: 0010:usercopy_abort+0x6c/0x80 ... Call Trace: <TASK> __check_heap_object+0xe3/0x120 __check_object_size+0x4dc/0x6d0 smbd_recv+0x77f/0xfe0 [cifs] cifs_readv_from_socket+0x276/0x8f0 [cifs] cifs_read_from_socket+0xcd/0x120 [cifs] cifs_demultiplex_thread+0x7e9/0x2d50 [cifs] kthread+0x396/0x830 ret_from_fork+0x2b8/0x3b0 ret_from_fork_asm+0x1a/0x30 The problem is that the smbd_response slab's packet field isn't marked as being permitted for usercopy. Fix this by passing parameters to kmem_slab_create() to indicate that copy_to_iter() is permitted from the packet region of the smbd_response slab objects, less the header space.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/43e7e284fc77b710d899569360ea46fa3374ae22Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/87dcc7e33fc3dcb8ed32333cec016528b5bb6ce4Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f0dd353d47f7051afa98c6c60c7486831eb1a410Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel 6.16
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "64471BC5-89E0-43B3-8318-2D7EFF377CBD",
              "versionEndExcluding": "6.12.36",
              "versionStartIncluding": "6.12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7AFE5B0-F3B1-4D30-B8BF-EDA0385C4746",
              "versionEndExcluding": "6.15.8",
              "versionStartIncluding": "6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "6D4894DB-CCFE-4602-B1BF-3960B2E19A01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "09709862-E348-4378-8632-5A7813EDDC86",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "415BF58A-8197-43F5-B3D7-D1D63057A26E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix the smbd_response slab to allow usercopy\n\nThe handling of received data in the smbdirect client code involves using\ncopy_to_iter() to copy data from the smbd_reponse struct\u0027s packet trailer\nto a folioq buffer provided by netfslib that encapsulates a chunk of\npagecache.\n\nIf, however, CONFIG_HARDENED_USERCOPY=y, this will result in the checks\nthen performed in copy_to_iter() oopsing with something like the following:\n\n CIFS: Attempting to mount //172.31.9.1/test\n CIFS: VFS: RDMA transport established\n usercopy: Kernel memory exposure attempt detected from SLUB object \u0027smbd_response_0000000091e24ea1\u0027 (offset 81, size 63)!\n ------------[ cut here ]------------\n kernel BUG at mm/usercopy.c:102!\n ...\n RIP: 0010:usercopy_abort+0x6c/0x80\n ...\n Call Trace:\n  \u003cTASK\u003e\n  __check_heap_object+0xe3/0x120\n  __check_object_size+0x4dc/0x6d0\n  smbd_recv+0x77f/0xfe0 [cifs]\n  cifs_readv_from_socket+0x276/0x8f0 [cifs]\n  cifs_read_from_socket+0xcd/0x120 [cifs]\n  cifs_demultiplex_thread+0x7e9/0x2d50 [cifs]\n  kthread+0x396/0x830\n  ret_from_fork+0x2b8/0x3b0\n  ret_from_fork_asm+0x1a/0x30\n\nThe problem is that the smbd_response slab\u0027s packet field isn\u0027t marked as\nbeing permitted for usercopy.\n\nFix this by passing parameters to kmem_slab_create() to indicate that\ncopy_to_iter() is permitted from the packet region of the smbd_response\nslab objects, less the header space."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cifs: Arreglar el slab smbd_response para permitir usercopy El manejo de los datos recibidos en el c\u00f3digo del cliente smbdirect implica usar copy_to_iter() para copiar datos del tr\u00e1iler de paquetes de la estructura smbd_reponse a un b\u00fafer folioq proporcionado por netfslib que encapsula un trozo de pagecache. Sin embargo, si CONFIG_HARDENED_USERCOPY=y, esto dar\u00e1 como resultado que las comprobaciones realizadas en copy_to_iter() generen un error similar a lo siguiente: CIFS: Intentando montar //172.31.9.1/test CIFS: VFS: Transporte RDMA establecido usercopy: \u00a1Intento de exposici\u00f3n de memoria del kernel detectado desde el objeto SLUB \u0027smbd_response_0000000091e24ea1\u0027 (desplazamiento 81, tama\u00f1o 63)!-----------[ cut here ]------------ kernel BUG at mm/usercopy.c:102! ... RIP: 0010:usercopy_abort+0x6c/0x80 ... Call Trace:  __check_heap_object+0xe3/0x120 __check_object_size+0x4dc/0x6d0 smbd_recv+0x77f/0xfe0 [cifs] cifs_readv_from_socket+0x276/0x8f0 [cifs] cifs_read_from_socket+0xcd/0x120 [cifs] cifs_demultiplex_thread+0x7e9/0x2d50 [cifs] kthread+0x396/0x830 ret_from_fork+0x2b8/0x3b0 ret_from_fork_asm+0x1a/0x30 El problema es que la respuesta smbd_response El campo de paquete de slab no est\u00e1 marcado como permitido para copia de usuario. Se soluciona pasando par\u00e1metros a kmem_slab_create() para indicar que se permite copy_to_iter() desde la regi\u00f3n de paquete de los objetos slab smbd_response, menos el espacio de encabezado."
    }
  ],
  "id": "CVE-2025-38523",
  "lastModified": "2025-11-18T21:53:29.273",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-08-16T12:15:27.667",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/43e7e284fc77b710d899569360ea46fa3374ae22"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/87dcc7e33fc3dcb8ed32333cec016528b5bb6ce4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f0dd353d47f7051afa98c6c60c7486831eb1a410"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1188"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.