lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <b7822cca-5ef5-4e09-bca1-2857aada4741@huawei.com>
Date: Mon, 21 Apr 2025 22:18:25 +0800
From: Wang Zhaolong <wangzhaolong1@...wei.com>
To: Greg KH <gregkh@...uxfoundation.org>
CC: <cve@...nel.org>, <linux-kernel@...r.kernel.org>,
	<linux-cve-announce@...r.kernel.org>
Subject: Re: CVE-2025-22077: smb: client: Fix netns refcount imbalance causing
 leaks and use-after-free



Hi Greg,

I apologize for the confusion. Let me clarify the situation more directly:

>>>
>>> 1. Commit 4e7f1644f2ac is currently associated with CVE-2025-22077. However, this
>>> patch was merely attempting to fix issues introduced by commit e9f2517a3e18 ("smb:
>>> client: fix TCP timers deadlock after rmmod").
> 
> Did it not fix those issues?  If not, we can reject that CVE, please let
> us know.

Yes, commit 4e7f1644f2ac did attempt to fix the issues introduced by
e9f2517a3e18, but it only fixed part of the issues introduced by e9f2517a3e18.

> 
>>> 2. As I've previously discussed with Greg Kroah-Hartman on the kernel mailing list[1],
>>>      commit e9f2517a3e18 (which was intended to address CVE-2024-54680):
>>>      - Failed to address the actual null pointer dereference in lockdep
>>>      - Introduced multiple serious issues:
>>>        - Socket leak vulnerability (bugzilla #219972)
>>>        - Network namespace refcount imbalance (bugzilla #219792)
> 
> So this commit did not actually do anything?  If so, we can reject this
> CVE.
> 

e9f2517a3e18 did not fix any issues and instead introduced a series of problems.

Here's the actual sequence:

1. CVE-2024-53095 vulnerability: Use-after-free of network namespace in
    SMB client and it's correct fix: ef7134c7fc48 by Kuniyuki Iwashima
3. Problematic patch: e9f2517a3e18 (intended for CVE-2024-54680) fixed
    nothing and introduced new issues while trying to "fix" a non-existent
    deadlock. ** CVE-2024-54680 has been rejected **
4. Attempted fix for some reference count issues: My patch 4e7f1644f2ac
    (assigned CVE-2025-22077)
5. Final resolution: Revert the problematic patch e9f2517a3e18 via commit
    95d2b9f693ff ("Revert "smb: client: fix TCP timers deadlock after rmmod"").

What I'm requesting:
- CVE-2025-22077 should be associated with commit 95d2b9f693ff, which is the actual
   final fix.

Best regards,
Wang Zhaolong

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ