ksmbd Attack Surface & SMB2/SMB3 Protocol Fuzzing (syzkaller)

Reading time: 8 minutes

Overview

Ukurasa huu unaelezea mbinu za vitendo za kutumia na kufuzz Linux in-kernel SMB server (ksmbd) kwa kutumia syzkaller. Unalenga kupanua attack surface ya protocol kupitia usanidi, kujenga harness ya stateful inayoweza kuunganisha operesheni za SMB2, kuzalisha PDUs zenye sarufi sahihi, kuelekeza mutations kwenye njia za msimbo zenye coverage dhaifu, na kutumia vipengele vya syzkaller kama focus_areas na ANYBLOB. Wakati utafiti wa awali ulitaja CVE maalum, hapa tunasisitiza metodolojia inayoweza kutumika tena na snippet za konkret ambazo unaweza kuiga kwa setup zako.

Target scope: SMB2/SMB3 over TCP. Kerberos na RDMA zimetengwa kwa makusudi ili kuweka harness iwe rahisi.

Expand ksmbd Attack Surface via Configuration

Kwa default, setup minimal ya ksmbd inabakia ikiacha sehemu kubwa za server zisijapimwa. Washa vipengele vifuatavyo ili kuendesha server kupitia parsers/handlers zaidi na kufikia njia za msimbo za ndani:

• Global-level
• Durable handles
• Server multi-channel
• SMB2 leases
• Per-share-level
• Oplocks (on by default)
• VFS objects

Kuwaweka hivi huongeza utekelezaji katika moduli kama:

• smb2pdu.c (command parsing/dispatch)
• ndr.c (NDR encode/decode)
• oplock.c (oplock request/break)
• smbacl.c (ACL parsing/enforcement)
• vfs.c (VFS ops)
• vfs_cache.c (lookup cache)

Vidokezo

• Chaguo halisi zinategemea userspace ya ksmbd ya distro yako (ksmbd-tools). Kagua /etc/ksmbd/ksmbd.conf na sehemu za per-share ili kuanzisha durable handles, leases, oplocks na VFS objects.
• Multi-channel na durable handles hubadilisha state machines na lifetimes, mara nyingi kuibua UAF/refcount/OOB bugs chini ya concurrency.

Authentication and Rate-Limiting Adjustments for Fuzzing

SMB3 inahitaji session halali. Kutekeleza Kerberos katika harness hukongeza ugumu, kwa hiyo penda kutumia NTLM/guest kwa fuzzing:

• Ruhusu guest access na weka map to guest = bad user ili watumiaji wasiojulikana warejewe kwa GUEST.
• Kubali NTLMv2 (tengeneza patch policy ikiwa imezimwa). Hii inafanya handshake iwe rahisi wakati ikifanya exercise code paths za SMB3.
• Ondoa ukaguzi mkali wa credit wakati wa majaribio (post-hardening kwa CVE-2024-50285 ilifanya simultaneous-op crediting kuwa mkali zaidi). Vinginevyo, rate-limits zinaweza kukataa mfululizo wa fuzzed mapema sana.
• Ongeza max connections (mfano, hadi 65536) ili kuepuka kukataliwa mapema wakati wa fuzzing yenye throughput kubwa.

Tahadhari: Taa marekebisho haya ni kwa ajili ya kuwezesha fuzzing pekee. Usitengeneze deployment na mipangilio hii kwenye uzalishaji.

Stateful Harness: Extract Resources and Chain Requests

SMB ni stateful: maombi mengi yanategemea identifiers zinazorejeshwa na majibu ya awali (SessionId, TreeID, FileID pairs). Harness yako lazima iparse majibu na itumie IDs ndani ya programu ile ile ili kufikia handlers za ndani (mfano, smb2_create → smb2_ioctl → smb2_close).

Example snippet to process a response buffer (skipping the +4B NetBIOS PDU length) and cache IDs:

// process response. does not contain +4B PDU length
void process_buffer(int msg_no, const char *buffer, size_t received) {
uint16_t cmd_rsp = u16((const uint8_t *)(buffer + CMD_OFFSET));
switch (cmd_rsp) {
case SMB2_TREE_CONNECT:
if (received >= TREE_ID_OFFSET + sizeof(uint32_t))
tree_id = u32((const uint8_t *)(buffer + TREE_ID_OFFSET));
break;
case SMB2_SESS_SETUP:
// first session setup response carries session_id
if (msg_no == 0x01 && received >= SESSION_ID_OFFSET + sizeof(uint64_t))
session_id = u64((const uint8_t *)(buffer + SESSION_ID_OFFSET));
break;
case SMB2_CREATE:
if (received >= CREATE_VFID_OFFSET + sizeof(uint64_t)) {
persistent_file_id = u64((const uint8_t *)(buffer + CREATE_PFID_OFFSET));
volatile_file_id   = u64((const uint8_t *)(buffer + CREATE_VFID_OFFSET));
}
break;
default:
break;
}
}

Vidokezo

• Weka mchakato mmoja wa fuzzer unaoshirikia authentication/state: utulivu na coverage bora na ksmbd’s global/session tables. syzkaller bado huingiza concurrency kwa kuashiria ops async, na rerun ndani.
• reset_acc_state ya majaribio ya Syzkaller inaweza kureset global state lakini inaweza kusababisha slowdown kubwa. Pendelea utulivu na kuzingatia fuzzing badala yake.

Grammar-Driven SMB2 Generation (Valid PDUs)

Tafsiri miundo ya SMB2 kutoka Microsoft Open Specifications kuwa sarufi ya fuzzer ili generator yako itengeneze PDUs halali kimuundo, ambazo zinawafikia dispatchers na IOCTL handlers kwa mfumo.

Mfano (SMB2 IOCTL request):

smb2_ioctl_req {
Header_Prefix           SMB2Header_Prefix
Command                 const[0xb, int16]
Header_Suffix           SMB2Header_Suffix
StructureSize           const[57, int16]
Reserved                const[0, int16]
CtlCode                 union_control_codes
PersistentFileId        const[0x4, int64]
VolatileFileId          const[0x0, int64]
InputOffset             offsetof[Input, int32]
InputCount              bytesize[Input, int32]
MaxInputResponse        const[65536, int32]
OutputOffset            offsetof[Output, int32]
OutputCount             len[Output, int32]
MaxOutputResponse       const[65536, int32]
Flags                   int32[0:1]
Reserved2               const[0, int32]
Input                   array[int8]
Output                  array[int8]
} [packed]

Mtindo huu unalazimisha structure sizes/offsets sahihi na huboresha kwa kiasi kikubwa coverage ikilinganishwa na blind mutation.

Directed Fuzzing With focus_areas

Tumia syzkaller’s experimental focus_areas kuipa uzito zaidi functions/files maalum ambazo kwa sasa zina coverage dhaifu. Mfano wa JSON:

{
"focus_areas": [
{"filter": {"functions": ["smb_check_perm_dacl"]}, "weight": 20.0},
{"filter": {"files": ["^fs/smb/server/"]}, "weight": 2.0},
{"weight": 1.0}
]
}

Hii husaidia kujenga ACLs halali ambazo zinafikia arithmetic/overflow paths katika smbacl.c. Kwa mfano, Security Descriptor mbaya yenye dacloffset kubwa kupita kiasi husababisha integer-overflow.

Mjenzi wa reproducer (minimal Python):

def build_sd():
import struct
sd = bytearray(0x14)
sd[0x00] = 0x00; sd[0x01] = 0x00
struct.pack_into('<H', sd, 0x02, 0x0001)
struct.pack_into('<I', sd, 0x04, 0x78)
struct.pack_into('<I', sd, 0x08, 0x00)
struct.pack_into('<I', sd, 0x0C, 0x10000)
struct.pack_into('<I', sd, 0x10, 0xFFFFFFFF)  # dacloffset
while len(sd) < 0x78:
sd += b'A'
sd += b"\x01\x01\x00\x00\x00\x00\x00\x00"  # minimal DACL
sd += b"\xCC" * 64
return bytes(sd)

Kuvunja Mipaka ya Coverage kwa ANYBLOB

anyTypes ya syzkaller (ANYBLOB/ANYRES) zinaruhusu kupunguza miundo tata kuwa blobs zinazobadilika kwa njia ya jumla. Anzisha corpus mpya kutoka kwa public SMB pcaps na badilisha payloads kuwa programu za syzkaller zinazoita pseudo-syscall yako (mfano, syz_ksmbd_send_req):

# Extract SMB payloads to JSON
# tshark -r smb2_dac_sample.pcap -Y "smb || smb2" -T json -e tcp.payload > packets.json

import json, os
os.makedirs("corpus", exist_ok=True)

with open("packets.json") as f:
data = json.load(f)
# adjust indexing to your tshark JSON structure
packets = [e["_source"]["layers"]["tcp.payload"] for e in data]

for i, pkt in enumerate(packets):
pdu = pkt[0]
pdu_size = len(pdu) // 2  # hex string length → bytes
with open(f"corpus/packet_{i:03d}.txt", "w") as f:
f.write(
f"syz_ksmbd_send_req(&(&(0x7f0000000340))=ANY=[@ANYBLOB=\"{pdu}\"], {hex(pdu_size)}, 0x0, 0x0)"
)

Hii inaanzisha uchunguzi kwa haraka na inaweza kusababisha mara moja UAFs (mfano, katika ksmbd_sessions_deregister) huku ikiongezea coverage kwa asilimia chache.

Sanitizers: Zaidi ya KASAN

• KASAN bado ni chombo kuu cha kugundua heap bugs (UAF/OOB).
• KCSAN mara nyingi hutoa false positives au low-severity data races kwa lengo hili.
• UBSAN/KUBSAN zinaweza kugundua makosa ya declared-bounds ambayo KASAN hupoteza kutokana na semantiki za index za array. Mfano:

id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]);
struct smb_sid {
__u8 revision; __u8 num_subauth; __u8 authority[NUM_AUTHS];
__le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */
} __attribute__((packed));

Kuweka num_subauth = 0 husababisha in-struct OOB read ya sub_auth[-1], inayogunduliwa na UBSAN’s declared-bounds checks.

Vidokezo kuhusu Throughput na Parallelism

• Mchakato mmoja wa fuzzer (shared auth/state) huwa imara zaidi kwa ksmbd na bado huibua races/UAFs shukrani kwa syzkaller’s internal async executor.
• Kwa VM nyingi, bado unaweza kufikia mamia ya amri za SMB/sekunde kwa ujumla. Coverage ya ngazi ya function takriban ~60% ya fs/smb/server na ~70% ya smb2pdu.c inapatikana, ingawa coverage ya state-transition haionyeshwi ipasavyo na metriksi hizi.

Orodha ya Kivitendo

• Washa durable handles, leases, multi-channel, oplocks, na VFS objects katika ksmbd.
• Ruhusu guest na map-to-guest; kubali NTLMv2. Patch out credit limits na ongeza max connections kwa utulivu wa fuzzer.
• Jenga stateful harness inayohifadhi SessionId/TreeID/FileIDs na kuunganisha create → ioctl → close.
• Tumia grammar kwa SMB2 PDUs ili kudumisha uhalali wa muundo.
• Tumia focus_areas kuwekeza zaidi kwenye functions zenye coverage dhaifu (mifano, smbacl.c njia kama smb_check_perm_dacl).
• Changanya na ANYBLOB kutoka kwenye pcaps halisi kuvunja plateaus; pakia seeds na syz-db kwa matumizi tena.
• Endesha kwa KASAN + UBSAN; fanyia triage kwa uangalifu ripoti za UBSAN declared-bounds.

Marejeo

• Doyensec – ksmbd Fuzzing (Part 2): https://blog.doyensec.com/2025/09/02/ksmbd-2.html
• syzkaller: https://github.com/google/syzkaller
• ANYBLOB/anyTypes (commit 9fe8aa4): https://github.com/google/syzkaller/commit/9fe8aa4
• Async executor change (commit fd8caa5): https://github.com/google/syzkaller/commit/fd8caa5
• syz-db: https://github.com/google/syzkaller/tree/master/tools/syz-db
• KASAN: https://docs.kernel.org/dev-tools/kasan.html
• UBSAN/KUBSAN: https://docs.kernel.org/dev-tools/ubsan.html
• KCSAN: https://docs.kernel.org/dev-tools/kcsan.html
• Microsoft Open Specifications (SMB): https://learn.microsoft.com/openspecs/
• Wireshark Sample Captures: https://wiki.wireshark.org/SampleCaptures
• Usomaji wa nyongeza: pwning.tech “Tickling ksmbd: fuzzing SMB in the Linux kernel”; Dongliang Mu’s syzkaller notes