lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bf2e5c68-e20c-437e-9aa8-1b5326f4fd14@huawei.com>
Date: Mon, 21 Apr 2025 10:59:47 +0800
From: Wang Zhaolong <wangzhaolong1@...wei.com>
To: <cve@...nel.org>, <linux-kernel@...r.kernel.org>,
	<linux-cve-announce@...r.kernel.org>
CC: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: CVE-2025-22077: smb: client: Fix netns refcount imbalance causing
 leaks and use-after-free


Given these findings, I recommend updating CVE-2025-22077 to reflect that the true fix
is the reversion of e9f2517a3e18 (via commit 95d2b9f693ff).

Best regards,
Wang Zhaolong

> Dear CVE Community,
> 
> As the author of commit 4e7f1644f2ac ("smb: client: Fix netns refcount imbalance
> causing leaks and use-after-free"), I want to clarify some confusion around the
> proper fixes for these issues:
> 
> 1. Commit 4e7f1644f2ac is currently associated with CVE-2025-22077. However, this
> patch was merely attempting to fix issues introduced by commit e9f2517a3e18 ("smb:
> client: fix TCP timers deadlock after rmmod").
> 
> 2. As I've previously discussed with Greg Kroah-Hartman on the kernel mailing list[1],
>     commit e9f2517a3e18 (which was intended to address CVE-2024-54680):
>     - Failed to address the actual null pointer dereference in lockdep
>     - Introduced multiple serious issues:
>       - Socket leak vulnerability (bugzilla #219972)
>       - Network namespace refcount imbalance (bugzilla #219792)
> 
> 3. Our testing and analysis confirms that the original fix by Kuniyuki Iwashima,
> commit ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace."), is
> actually the correct approach. This patch properly handles network namespace
> reference counting without introducing the problems that e9f2517a3e18 did.
> 
> 4. The proper resolution for these issues was ultimately commit 95d2b9f693ff
> ("Revert 'smb: client: fix TCP timers deadlock after rmmod'"), which reverted
> the problematic patch. In the latest Linux mainline code, the problematic patch and
> my subsequent fix patch have been reverted.[2][3]
> 
> Thank you for your attention to this matter. I'm happy to provide additional details if needed.
> 
> [1] https://lore.kernel.org/all/2025040248-tummy-smilingly-4240@gregkh/
> [2] https://github.com/torvalds/linux/commit/c707193a17128fae2802d10cbad7239cc57f0c95
> [3] https://github.com/torvalds/linux/commit/4e7f1644f2ac6d01dc584f6301c3b1d5aac4eaef
> 
> Best regards,
> Wang Zhaolong
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ