lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e6537aa9-6fe7-47e4-afd3-9da549ce12a1@huawei.com>
Date: Wed, 2 Apr 2025 17:15:44 +0800
From: Wang Zhaolong <wangzhaolong1@...wei.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
CC: Kuniyuki Iwashima <kuniyu@...zon.com>, <edumazet@...gle.com>,
	<ematsumiya@...e.de>, <linux-fsdevel@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>, <linux-net@...r.kernel.org>,
	<smfrench@...il.com>, <zhangchangzhong@...wei.com>, <cve@...nel.org>,
	<sfrench@...ba.org>
Subject: Re: Fwd: [PATCH][SMB3 client] fix TCP timers deadlock after rmmod

> On Wed, Apr 02, 2025 at 12:49:50PM +0800, Wang Zhaolong wrote:
>> Yes, it seems the previous description might not have been entirely clear.
>> I need to clearly point out that this patch, intended as the fix for CVE-2024-54680,
>> does not actually address any real issues. It also fails to resolve the null pointer
>> dereference problem within lockdep. On top of that, it has caused a series of
>> subsequent leakage issues.
> 
> If this cve does not actually fix anything, then we can easily reject
> it, please just let us know if that needs to happen here.
> 
> thanks,
> 
> greg k-h
Hi Greg,

Yes, I can confirm that the patch for CVE-2024-54680 (commit e9f2517a3e18)
should be rejected. Our analysis shows:

1. It fails to address the actual null pointer dereference in lockdep

2. It introduces multiple serious issues:
    1. A socket leak vulnerability as documented in bugzilla #219972
    2. Network namespace refcount imbalance issues as described in
      bugzilla #219792 (which required the follow-up mainline fix
      4e7f1644f2ac "smb: client: Fix netns refcount imbalance
      causing leaks and use-after-free")

The next thing we should probably do is:
    - Reverting e9f2517a3e18
    - Reverting the follow-up fix 4e7f1644f2ac, as it's trying to fix
      problems introduced by the problematic CVE patch
    - Addressing the original lockdep issue properly (Kuniyuki is working
      on a module ownership tracking patch, though it hasn't been merged yet)

Regardless of the status of Kuniyuki's lockdep fix, the CVE patch itself
is fundamentally flawed and should be rejected as it creates more problems
than it solves.

Thank you for your attention to this matter.

Best regards.
Wang Zhaolong

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ