ghsa-xjrj-hm29-qrjc
Vulnerability from github
Published
2025-04-16 15:34
Modified
2025-04-25 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: Fix netns refcount imbalance causing leaks and use-after-free

Commit ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.") attempted to fix a netns use-after-free issue by manually adjusting reference counts via sk->sk_net_refcnt and sock_inuse_add().

However, a later commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod") pointed out that the approach of manually setting sk->sk_net_refcnt in the first commit was technically incorrect, as sk->sk_net_refcnt should only be set for user sockets. It led to issues like TCP timers not being cleared properly on close. The second commit moved to a model of just holding an extra netns reference for server->ssocket using get_net(), and dropping it when the server is torn down.

But there remain some gaps in the get_net()/put_net() balancing added by these commits. The incomplete reference handling in these fixes results in two issues:

  1. Netns refcount leaks[1]

The problem process is as follows:

``` mount.cifs cifsd

cifs_do_mount cifs_mount cifs_mount_get_session cifs_get_tcp_session get_net() / First get net. / ip_connect generic_ip_connect / Try port 445 / get_net() ->connect() / Failed / put_net() generic_ip_connect / Try port 139 / get_net() / Missing matching put_net() for this get_net()./ cifs_get_smb_ses cifs_negotiate_protocol smb2_negotiate SMB2_negotiate cifs_send_recv wait_for_response cifs_demultiplex_thread cifs_read_from_socket cifs_readv_from_socket cifs_reconnect cifs_abort_connection sock_release(); server->ssocket = NULL; / Missing put_net() here. / generic_ip_connect get_net() ->connect() / Failed / put_net() sock_release(); server->ssocket = NULL; free_rsp_buf ... clean_demultiplex_info / It's only called once here. / put_net() ```

When cifs_reconnect() is triggered, the server->ssocket is released without a corresponding put_net() for the reference acquired in generic_ip_connect() before. it ends up calling generic_ip_connect() again to retry get_net(). After that, server->ssocket is set to NULL in the error path of generic_ip_connect(), and the net count cannot be released in the final clean_demultiplex_info() function.

  1. Potential use-after-free

The current refcounting scheme can lead to a potential use-after-free issue in the following scenario:

cifs_do_mount cifs_mount cifs_mount_get_session cifs_get_tcp_session get_net() /* First get net */ ip_connect generic_ip_connect get_net() bind_socket kernel_bind /* failed */ put_net() /* after out_err_crypto_release label */ put_net() /* after out_err label */ put_net()

In the exception handling process where binding the socket fails, the get_net() and put_net() calls are unbalanced, which may cause the server->net reference count to drop to zero and be prematurely released.

To address both issues, this patch ties the netns reference counti ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-22077"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-16T15:16:01Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix netns refcount imbalance causing leaks and use-after-free\n\nCommit ef7134c7fc48 (\"smb: client: Fix use-after-free of network\nnamespace.\") attempted to fix a netns use-after-free issue by manually\nadjusting reference counts via sk-\u003esk_net_refcnt and sock_inuse_add().\n\nHowever, a later commit e9f2517a3e18 (\"smb: client: fix TCP timers deadlock\nafter rmmod\") pointed out that the approach of manually setting\nsk-\u003esk_net_refcnt in the first commit was technically incorrect, as\nsk-\u003esk_net_refcnt should only be set for user sockets. It led to issues\nlike TCP timers not being cleared properly on close. The second commit\nmoved to a model of just holding an extra netns reference for\nserver-\u003essocket using get_net(), and dropping it when the server is torn\ndown.\n\nBut there remain some gaps in the get_net()/put_net() balancing added by\nthese commits. The incomplete reference handling in these fixes results\nin two issues:\n\n1. Netns refcount leaks[1]\n\nThe problem process is as follows:\n\n```\nmount.cifs                        cifsd\n\ncifs_do_mount\n  cifs_mount\n    cifs_mount_get_session\n      cifs_get_tcp_session\n        get_net()  /* First get net. */\n        ip_connect\n          generic_ip_connect /* Try port 445 */\n            get_net()\n            -\u003econnect() /* Failed */\n            put_net()\n          generic_ip_connect /* Try port 139 */\n            get_net() /* Missing matching put_net() for this get_net().*/\n      cifs_get_smb_ses\n        cifs_negotiate_protocol\n          smb2_negotiate\n            SMB2_negotiate\n              cifs_send_recv\n                wait_for_response\n                                 cifs_demultiplex_thread\n                                   cifs_read_from_socket\n                                     cifs_readv_from_socket\n                                       cifs_reconnect\n                                         cifs_abort_connection\n                                           sock_release();\n                                           server-\u003essocket = NULL;\n                                           /* Missing put_net() here. */\n                                           generic_ip_connect\n                                             get_net()\n                                             -\u003econnect() /* Failed */\n                                             put_net()\n                                             sock_release();\n                                             server-\u003essocket = NULL;\n          free_rsp_buf\n    ...\n                                   clean_demultiplex_info\n                                     /* It\u0027s only called once here. */\n                                     put_net()\n```\n\nWhen cifs_reconnect() is triggered, the server-\u003essocket is released\nwithout a corresponding put_net() for the reference acquired in\ngeneric_ip_connect() before. it ends up calling generic_ip_connect()\nagain to retry get_net(). After that, server-\u003essocket is set to NULL\nin the error path of generic_ip_connect(), and the net count cannot be\nreleased in the final clean_demultiplex_info() function.\n\n2. Potential use-after-free\n\nThe current refcounting scheme can lead to a potential use-after-free issue\nin the following scenario:\n\n```\n cifs_do_mount\n   cifs_mount\n     cifs_mount_get_session\n       cifs_get_tcp_session\n         get_net()  /* First get net */\n           ip_connect\n             generic_ip_connect\n               get_net()\n               bind_socket\n\t         kernel_bind /* failed */\n               put_net()\n         /* after out_err_crypto_release label */\n         put_net()\n         /* after out_err label */\n         put_net()\n```\n\nIn the exception handling process where binding the socket fails, the\nget_net() and put_net() calls are unbalanced, which may cause the\nserver-\u003enet reference count to drop to zero and be prematurely released.\n\nTo address both issues, this patch ties the netns reference counti\n---truncated---",
  "id": "GHSA-xjrj-hm29-qrjc",
  "modified": "2025-04-25T12:30:27Z",
  "published": "2025-04-16T15:34:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22077"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/476617a4ca0123f0df677d547a82a110c27c8c74"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b6f6bf1bde8d6045c389fda8d21c304dfe49384"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e7f1644f2ac6d01dc584f6301c3b1d5aac4eaef"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d8dfc27d90d41627c0d6ada97ed0ab57b3dae25"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8dbf060480236877703bff0106fc984576184d11"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/95d2b9f693ff2a1180a23d7d59acc0c4e72f4c41"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/961755d0055e0e96d1849cc0425da966c8a64e53"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c6b6b8dcef4adf8ee4e439bb97e74106096c71b8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f761eeefd531e6550cd3a5c047835b4892acb00d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.