ksmbd Uso wa Mashambulizi & Fuzzing ya Protocol ya SMB2/SMB3 (syzkaller)

Reading time: 9 minutes

Muhtasari

Ukurasa huu unafupisha mbinu za vitendo za kuendesha na kufuzz server ya SMB iliyoko ndani ya kernel ya Linux (ksmbd) kwa kutumia syzkaller. Unalenga kuongeza uso wa mashambulizi wa protocol kupitia mipangilio, kujenga harness yenye state inayoweza kuunganisha operesheni za SMB2, kuzalisha PDUs za sarufi-inayokubalika, kuingiza mabadiliko yaliyopendelea kwenye njia za msimbo zenye kufikiwa kwa udhaifu kidogo, na kutumia vipengele vya syzkaller kama focus_areas na ANYBLOB. Ingawa utafiti wa awali umeorodhesha CVE maalum, hapa tunasisitiza metodolojia inayoweza kutumika tena na vipande vya kanuni unavyoweza kurekebisha kwa mazingira yako.

Eneo linalolengwa: SMB2/SMB3 juu ya TCP. Kerberos na RDMA zimetengwa kwa makusudi ili kuweka harness rahisi.

Panua Uso wa Mashambulizi wa ksmbd kupitia Mipangilio

Kwa chaguo-msingi, usanidi mdogo wa ksmbd unaacha sehemu kubwa za server zisifanyike mtihani. Washa vipengele vifuatavyo ili kusukuma server kupitia parsers/handlers za ziada na kufikia njia za msimbo za ndani zaidi:

• Ngazi ya globali
• Vishikio vya kudumu (Durable handles)
• Multi-channel ya server
• Lesi za SMB2
• Kiwango kwa kila share (Per-share-level)
• Oplocks (zimwezeshwa kwa chaguo-msingi)
• Vitu vya VFS

Kuzima/kuwasha haya kunakuza utekelezaji katika moduli kama:

• smb2pdu.c (command parsing/dispatch)
• ndr.c (NDR encode/decode)
• oplock.c (oplock request/break)
• smbacl.c (ACL parsing/enforcement)
• vfs.c (VFS ops)
• vfs_cache.c (lookup cache)

Vidokezo

• Chaguo halisi zinategemea userspace ya ksmbd ya distro yako (ksmbd-tools). Pitia /etc/ksmbd/ksmbd.conf na sehemu za kila-share ili kuwezesha durable handles, lesi, oplocks na vitu vya VFS.
• Multi-channel na durable handles hubadilisha state machines na maisha ya vitu, mara nyingi zikiibua mdudu wa UAF/refcount/OOB chini ya ulandanishi.

Marekebisho ya Uthibitishaji na Kuzuia-Kiwango kwa Fuzzing

SMB3 inahitaji session halali. Kuweka Kerberos katika harness kunaongeza ugumu, hivyo upendeleo ni NTLM/guest kwa fuzzing:

• Ruhusu upatikanaji wa guest na weka map to guest = bad user ili watumiaji wasiojulikana waangukie GUEST.
• Kubali NTLMv2 (rekebisha policy ikiwa imezimwa). Hii huweka handshake rahisi huku ikifanyia kazi njia za msimbo za SMB3.
• Rekebisha au zima ukaguzi mkali wa credit wakati wa majaribio (kuimarishwa baada ya hardening kwa CVE-2024-50285 kulitengeneza crediting ya simultaneous-op kuwa kali zaidi). Vinginevyo, vikwazo vya kiwango vinaweza kukataa mfululizo wa fuzzed mapema sana.
• Ongeza max connections (mfano, hadi 65536) ili kuepuka kukataliwa mapema wakati wa fuzzing yenye throughput kubwa.

Tahadhari: Laghilafu hizi ni kwa ajili ya kuwezesha fuzzing pekee. Usitumiwe na mipangilio hii katika uzalishaji.

Stateful Harness: Tenga Rasilimali na Kuunganisha Maombi

SMB ni stateful: maombi mengi yanategemea vitambulisho vinavyorejeshwa na majibu ya awali (SessionId, TreeID, jozi za FileID). Harness yako lazima ichambue majibu na itumie tena IDs ndani ya programu ileile ili kufikia handlers za ndani (mfano, smb2_create → smb2_ioctl → smb2_close).

Mfano wa kipande cha kanuni cha kushughulikia response buffer (kutoruhusu +4B NetBIOS PDU length) na kuhifadhi IDs:

// process response. does not contain +4B PDU length
void process_buffer(int msg_no, const char *buffer, size_t received) {
uint16_t cmd_rsp = u16((const uint8_t *)(buffer + CMD_OFFSET));
switch (cmd_rsp) {
case SMB2_TREE_CONNECT:
if (received >= TREE_ID_OFFSET + sizeof(uint32_t))
tree_id = u32((const uint8_t *)(buffer + TREE_ID_OFFSET));
break;
case SMB2_SESS_SETUP:
// first session setup response carries session_id
if (msg_no == 0x01 && received >= SESSION_ID_OFFSET + sizeof(uint64_t))
session_id = u64((const uint8_t *)(buffer + SESSION_ID_OFFSET));
break;
case SMB2_CREATE:
if (received >= CREATE_VFID_OFFSET + sizeof(uint64_t)) {
persistent_file_id = u64((const uint8_t *)(buffer + CREATE_PFID_OFFSET));
volatile_file_id   = u64((const uint8_t *)(buffer + CREATE_VFID_OFFSET));
}
break;
default:
break;
}
}

Vidokezo

• Tumia mchakato mmoja wa fuzzer unaoshiriki authentication/state: hutoa uthabiti na coverage bora kutokana na ksmbd’s global/session tables. syzkaller bado huingiza concurrency kwa kuashiria ops kuwa async; hufanya rerun internally.
• Syzkaller’s experimental reset_acc_state inaweza kurudisha global state lakini inaweza kusababisha slowdown kubwa ya utendaji. Pendelea uthabiti na zingatia fuzzing badala yake.

Uundaji wa SMB2 Unaotokana na Sarufi (PDUs Halali)

Tafsiri muundo wa Microsoft Open Specifications SMB2 kuwa sarufi ya fuzzer ili generator yako izalisha PDUs zenye muundo sahihi, ambazo zinafikia kwa mfumo dispatchers na IOCTL handlers.

Mfano (SMB2 IOCTL request):

smb2_ioctl_req {
Header_Prefix           SMB2Header_Prefix
Command                 const[0xb, int16]
Header_Suffix           SMB2Header_Suffix
StructureSize           const[57, int16]
Reserved                const[0, int16]
CtlCode                 union_control_codes
PersistentFileId        const[0x4, int64]
VolatileFileId          const[0x0, int64]
InputOffset             offsetof[Input, int32]
InputCount              bytesize[Input, int32]
MaxInputResponse        const[65536, int32]
OutputOffset            offsetof[Output, int32]
OutputCount             len[Output, int32]
MaxOutputResponse       const[65536, int32]
Flags                   int32[0:1]
Reserved2               const[0, int32]
Input                   array[int8]
Output                  array[int8]
} [packed]

Mtindo huu unalazimisha ukubwa na offsets sahihi za miundo na kuboresha kwa kiasi kikubwa coverage ikilinganishwa na blind mutation.

Directed Fuzzing With focus_areas

Tumia syzkaller’s experimental focus_areas kuzipa uzito maalum functions/files ambazo kwa sasa zina coverage dhaifu. Mfano JSON:

{
"focus_areas": [
{"filter": {"functions": ["smb_check_perm_dacl"]}, "weight": 20.0},
{"filter": {"files": ["^fs/smb/server/"]}, "weight": 2.0},
{"weight": 1.0}
]
}

Hii husaidia kujenga ACLs halali ambazo zinafikia arithmetic/overflow paths katika smbacl.c. Kwa mfano, Security Descriptor yenye nia mbaya na dacloffset kubwa inasababisha integer-overflow.

Reproducer builder (minimal Python):

def build_sd():
import struct
sd = bytearray(0x14)
sd[0x00] = 0x00; sd[0x01] = 0x00
struct.pack_into('<H', sd, 0x02, 0x0001)
struct.pack_into('<I', sd, 0x04, 0x78)
struct.pack_into('<I', sd, 0x08, 0x00)
struct.pack_into('<I', sd, 0x0C, 0x10000)
struct.pack_into('<I', sd, 0x10, 0xFFFFFFFF)  # dacloffset
while len(sd) < 0x78:
sd += b'A'
sd += b"\x01\x01\x00\x00\x00\x00\x00\x00"  # minimal DACL
sd += b"\xCC" * 64
return bytes(sd)

Kuvunja Plateau za Coverage kwa ANYBLOB

syzkaller’s anyTypes (ANYBLOB/ANYRES) zinawezesha kupunguza miundo tata kuwa blobs zinazobadilika kwa njia ya jumla. Tengeneza corpus mpya kutoka kwa SMB pcaps za umma na ubadilishe payloads kuwa programu za syzkaller zinazoiita pseudo-syscall yako (mfano, syz_ksmbd_send_req):

# Extract SMB payloads to JSON
# tshark -r smb2_dac_sample.pcap -Y "smb || smb2" -T json -e tcp.payload > packets.json

import json, os
os.makedirs("corpus", exist_ok=True)

with open("packets.json") as f:
data = json.load(f)
# adjust indexing to your tshark JSON structure
packets = [e["_source"]["layers"]["tcp.payload"] for e in data]

for i, pkt in enumerate(packets):
pdu = pkt[0]
pdu_size = len(pdu) // 2  # hex string length → bytes
with open(f"corpus/packet_{i:03d}.txt", "w") as f:
f.write(
f"syz_ksmbd_send_req(&(&(0x7f0000000340))=ANY=[@ANYBLOB=\"{pdu}\"], {hex(pdu_size)}, 0x0, 0x0)"
)

Hii inaanzisha uchunguzi kwa haraka na inaweza kusababisha UAFs mara moja (kwa mfano, katika ksmbd_sessions_deregister) huku ikiongezea coverage kwa asilimia chache.

Sanitizers: Beyond KASAN

• KASAN bado ni kifuatilia/chombo kuu cha kugundua hitilafu za heap (UAF/OOB).
• KCSAN mara nyingi huonyesha false positives au data races zenye uzito mdogo katika lengo hili.
• UBSAN/KUBSAN inaweza kugundua declared-bounds mistakes ambazo KASAN hupoteza kutokana na array-index semantics. Mfano:

id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]);
struct smb_sid {
__u8 revision; __u8 num_subauth; __u8 authority[NUM_AUTHS];
__le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */
} __attribute__((packed));

Kuweka num_subauth = 0 husababisha in-struct OOB read ya sub_auth[-1], iliyogunduliwa na ukaguzi wa declared-bounds wa UBSAN.

Throughput and Parallelism Notes

• Mchakato mmoja wa fuzzer (shared auth/state) huwa thabiti zaidi kwa ksmbd na bado huibua races/UAFs kutokana na executor ya ndani async ya syzkaller.
• Kwa VMs nyingi, bado unaweza kufikia mamia ya amri za SMB/sekunde jumla. Ufunikaji wa ngazi ya function takriban ~60% ya fs/smb/server na ~70% ya smb2pdu.c unaweza kupatikana, ingawa ufunikaji wa state-transition hauwakilishwa vya kutosha na metriki hizo.

Practical Checklist

• Washa durable handles, leases, multi-channel, oplocks, na VFS objects ndani ya ksmbd.
• Ruhusu guest na map-to-guest; kubali NTLMv2. Patch out credit limits na ongeza max connections kwa uthabiti wa fuzzer.
• Jenga stateful harness inayohifadhi SessionId/TreeID/FileIDs na kuunganisha create → ioctl → close.
• Tumia sarufi (grammar) kwa SMB2 PDUs ili kudumisha uhalali wa muundo.
• Tumia focus_areas kuipa uzito zaidi weakly-covered functions (e.g., smbacl.c paths like smb_check_perm_dacl).
• Seed with ANYBLOB kutoka pcaps halisi ili kuvunja plateaus; pack seeds na syz-db kwa matumizi ya baadaye.
• Endesha na KASAN + UBSAN; pitia ripoti za UBSAN za declared-bounds kwa uangalifu.

References

• Doyensec – ksmbd Fuzzing (Part 2): https://blog.doyensec.com/2025/09/02/ksmbd-2.html
• syzkaller: https://github.com/google/syzkaller
• ANYBLOB/anyTypes (commit 9fe8aa4): https://github.com/google/syzkaller/commit/9fe8aa4
• Async executor change (commit fd8caa5): https://github.com/google/syzkaller/commit/fd8caa5
• syz-db: https://github.com/google/syzkaller/tree/master/tools/syz-db
• KASAN: https://docs.kernel.org/dev-tools/kasan.html
• UBSAN/KUBSAN: https://docs.kernel.org/dev-tools/ubsan.html
• KCSAN: https://docs.kernel.org/dev-tools/kcsan.html
• Microsoft Open Specifications (SMB): https://learn.microsoft.com/openspecs/
• Wireshark Sample Captures: https://wiki.wireshark.org/SampleCaptures
• Background reading: pwning.tech “Tickling ksmbd: fuzzing SMB in the Linux kernel”; Dongliang Mu’s syzkaller notes