{"uuid": "a595460a-e4ca-4851-aac9-8ee2ce7d94aa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-54680", "type": "published-proof-of-concept", "source": "https://t.me/cvedetector/15076", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-54680 - Linux Kernel Samba SMB Client NetNS Reference Counting Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-54680 \nPublished : Jan. 11, 2025, 1:15 p.m. | 35\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nsmb: client: fix TCP timers deadlock after rmmod  \n  \nCommit ef7134c7fc48 (\"smb: client: Fix use-after-free of network namespace.\")  \nfixed a netns UAF by manually enabled socket refcounting  \n(sk->sk_net_refcnt=1 and sock_inuse_add(net, 1)).  \n  \nThe reason the patch worked for that bug was because we now hold  \nreferences to the netns (get_net_track() gets a ref internally)  \nand they're properly released (internally, on __sk_destruct()),  \nbut only because sk->sk_net_refcnt was set.  \n  \nProblem:  \n(this happens regardless of CONFIG_NET_NS_REFCNT_TRACKER and regardless  \nif init_net or other)  \n  \nSetting sk->sk_net_refcnt=1 *manually* and *after* socket creation is not  \nonly out of cifs scope, but also technically wrong -- it's set conditionally  \nbased on user (=1) vs kernel (=0) sockets.  And net/ implementations  \nseem to base their user vs kernel space operations on it.  \n  \ne.g. upon TCP socket close, the TCP timers are not cleared because  \nsk->sk_net_refcnt=1:  \n(cf. commit 151c9c724d05 (\"tcp: properly terminate timers for kernel sockets\"))  \n  \nnet/ipv4/tcp.c:  \n    void tcp_close(struct sock *sk, long timeout)  \n    {  \n     lock_sock(sk);  \n     __tcp_close(sk, timeout);  \n     release_sock(sk);  \n     if (!sk->sk_net_refcnt)  \n      inet_csk_clear_xmit_timers_sync(sk);  \n     sock_put(sk);  \n    }  \n  \nWhich will throw a lockdep warning and then, as expected, deadlock on  \ntcp_write_timer().  \n  \nA way to reproduce this is by running the reproducer from ef7134c7fc48  \nand then 'rmmod cifs'.  A few seconds later, the deadlock/lockdep  \nwarning shows up.  \n  \nFix:  \nWe shouldn't mess with socket internals ourselves, so do not set  \nsk_net_refcnt manually.  \n  \nAlso change __sock_create() to sock_create_kern() for explicitness.  \n  \nAs for non-init_net network namespaces, we deal with it the best way  \nwe can -- hold an extra netns reference for server->ssocket and drop it  \nwhen it's released.  This ensures that the netns still exists whenever  \nwe need to create/destroy server->ssocket, but is not directly tied to  \nit. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"11 Jan 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-01-11T14:55:32.000000Z"}