lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025042242-atrophy-huff-6ba6@gregkh>
Date: Tue, 22 Apr 2025 07:36:12 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Wang Zhaolong <wangzhaolong1@...wei.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
	linux-cve-announce@...r.kernel.org
Subject: Re: CVE-2025-22077: smb: client: Fix netns refcount imbalance
 causing leaks and use-after-free

On Mon, Apr 21, 2025 at 10:18:25PM +0800, Wang Zhaolong wrote:
> 
> 
> Hi Greg,
> 
> I apologize for the confusion. Let me clarify the situation more directly:
> 
> > > > 
> > > > 1. Commit 4e7f1644f2ac is currently associated with CVE-2025-22077. However, this
> > > > patch was merely attempting to fix issues introduced by commit e9f2517a3e18 ("smb:
> > > > client: fix TCP timers deadlock after rmmod").
> > 
> > Did it not fix those issues?  If not, we can reject that CVE, please let
> > us know.
> 
> Yes, commit 4e7f1644f2ac did attempt to fix the issues introduced by
> e9f2517a3e18, but it only fixed part of the issues introduced by e9f2517a3e18.
> 
> > 
> > > > 2. As I've previously discussed with Greg Kroah-Hartman on the kernel mailing list[1],
> > > >      commit e9f2517a3e18 (which was intended to address CVE-2024-54680):
> > > >      - Failed to address the actual null pointer dereference in lockdep
> > > >      - Introduced multiple serious issues:
> > > >        - Socket leak vulnerability (bugzilla #219972)
> > > >        - Network namespace refcount imbalance (bugzilla #219792)
> > 
> > So this commit did not actually do anything?  If so, we can reject this
> > CVE.
> > 
> 
> e9f2517a3e18 did not fix any issues and instead introduced a series of problems.
> 
> Here's the actual sequence:
> 
> 1. CVE-2024-53095 vulnerability: Use-after-free of network namespace in
>    SMB client and it's correct fix: ef7134c7fc48 by Kuniyuki Iwashima
> 3. Problematic patch: e9f2517a3e18 (intended for CVE-2024-54680) fixed
>    nothing and introduced new issues while trying to "fix" a non-existent
>    deadlock. ** CVE-2024-54680 has been rejected **
> 4. Attempted fix for some reference count issues: My patch 4e7f1644f2ac
>    (assigned CVE-2025-22077)
> 5. Final resolution: Revert the problematic patch e9f2517a3e18 via commit
>    95d2b9f693ff ("Revert "smb: client: fix TCP timers deadlock after rmmod"").
> 
> What I'm requesting:
> - CVE-2025-22077 should be associated with commit 95d2b9f693ff, which is the actual
>   final fix.

Thank you for explaining it again, this time it made sense :)

The id is now updated, and the data is pushed out to cve.org, thanks!

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ