{"uuid": "89e88c40-866f-4282-8ac7-d6de23e21d21", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-54680", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/1305", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-54680\n\ud83d\udd39 Description: In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix TCP timers deadlock after rmmod\n\nCommit ef7134c7fc48 (\"smb: client: Fix use-after-free of network namespace.\")\nfixed a netns UAF by manually enabled socket refcounting\n(sk->sk_net_refcnt=1 and sock_inuse_add(net, 1)).\n\nThe reason the patch worked for that bug was because we now hold\nreferences to the netns (get_net_track() gets a ref internally)\nand they're properly released (internally, on __sk_destruct()),\nbut only because sk->sk_net_refcnt was set.\n\nProblem:\n(this happens regardless of CONFIG_NET_NS_REFCNT_TRACKER and regardless\nif init_net or other)\n\nSetting sk->sk_net_refcnt=1 *manually* and *after* socket creation is not\nonly out of cifs scope, but also technically wrong -- it's set conditionally\nbased on user (=1) vs kernel (=0) sockets.  And net/ implementations\nseem to base their user vs kernel space operations on it.\n\ne.g. upon TCP socket close, the TCP timers are not cleared because\nsk->sk_net_refcnt=1:\n(cf. commit 151c9c724d05 (\"tcp: properly terminate timers for kernel sockets\"))\n\nnet/ipv4/tcp.c:\n    void tcp_close(struct sock *sk, long timeout)\n    {\n     lock_sock(sk);\n     __tcp_close(sk, timeout);\n     release_sock(sk);\n     if (!sk->sk_net_refcnt)\n      inet_csk_clear_xmit_timers_sync(sk);\n     sock_put(sk);\n    }\n\nWhich will throw a lockdep warning and then, as expected, deadlock on\ntcp_write_timer().\n\nA way to reproduce this is by running the reproducer from ef7134c7fc48\nand then 'rmmod cifs'.  A few seconds later, the deadlock/lockdep\nwarning shows up.\n\nFix:\nWe shouldn't mess with socket internals ourselves, so do not set\nsk_net_refcnt manually.\n\nAlso change __sock_create() to sock_create_kern() for explicitness.\n\nAs for non-init_net network namespaces, we deal with it the best way\nwe can -- hold an extra netns reference for server->ssocket and drop it\nwhen it's released.  This ensures that the netns still exists whenever\nwe need to create/destroy server->ssocket, but is not directly tied to\nit.\n\ud83d\udccf Published: 2025-01-11T12:35:43.170Z\n\ud83d\udccf Modified: 2025-01-11T12:35:43.170Z\n\ud83d\udd17 References:\n1. https://git.kernel.org/stable/c/906807c734ed219dcb2e7bbfde5c4168ed72a3d0\n2. https://git.kernel.org/stable/c/127e907e11ccd54b59bb78fc22c43ccb76c71079\n3. https://git.kernel.org/stable/c/e9f2517a3e18a54a3943c098d2226b245d488801", "creation_timestamp": "2025-01-11T13:06:26.000000Z"}