| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix netns refcount imbalance causing leaks and use-after-free\n\nCommit ef7134c7fc48 (\"smb: client: Fix use-after-free of network\nnamespace.\") attempted to fix a netns use-after-free issue by manually\nadjusting reference counts via sk->sk_net_refcnt and sock_inuse_add().\n\nHowever, a later commit e9f2517a3e18 (\"smb: client: fix TCP timers deadlock\nafter rmmod\") pointed out that the approach of manually setting\nsk->sk_net_refcnt in the first commit was technically incorrect, as\nsk->sk_net_refcnt should only be set for user sockets. It led to issues\nlike TCP timers not being cleared properly on close. The second commit\nmoved to a model of just holding an extra netns reference for\nserver->ssocket using get_net(), and dropping it when the server is torn\ndown.\n\nBut there remain some gaps in the get_net()/put_net() balancing added by\nthese commits. The incomplete reference handling in these fixes results\nin two issues:\n\n1. Netns refcount leaks[1]\n\nThe problem process is as follows:\n\n```\nmount.cifs cifsd\n\ncifs_do_mount\n cifs_mount\n cifs_mount_get_session\n cifs_get_tcp_session\n get_net() /* First get net. */\n ip_connect\n generic_ip_connect /* Try port 445 */\n get_net()\n ->connect() /* Failed */\n put_net()\n generic_ip_connect /* Try port 139 */\n get_net() /* Missing matching put_net() for this get_net().*/\n cifs_get_smb_ses\n cifs_negotiate_protocol\n smb2_negotiate\n SMB2_negotiate\n cifs_send_recv\n wait_for_response\n cifs_demultiplex_thread\n cifs_read_from_socket\n cifs_readv_from_socket\n cifs_reconnect\n cifs_abort_connection\n sock_release();\n server->ssocket = NULL;\n /* Missing put_net() here. */\n generic_ip_connect\n get_net()\n ->connect() /* Failed */\n put_net()\n sock_release();\n server->ssocket = NULL;\n free_rsp_buf\n ...\n clean_demultiplex_info\n /* It's only called once here. */\n put_net()\n```\n\nWhen cifs_reconnect() is triggered, the server->ssocket is released\nwithout a corresponding put_net() for the reference acquired in\ngeneric_ip_connect() before. it ends up calling generic_ip_connect()\nagain to retry get_net(). After that, server->ssocket is set to NULL\nin the error path of generic_ip_connect(), and the net count cannot be\nreleased in the final clean_demultiplex_info() function.\n\n2. Potential use-after-free\n\nThe current refcounting scheme can lead to a potential use-after-free issue\nin the following scenario:\n\n```\n cifs_do_mount\n cifs_mount\n cifs_mount_get_session\n cifs_get_tcp_session\n get_net() /* First get net */\n ip_connect\n generic_ip_connect\n get_net()\n bind_socket\n\t kernel_bind /* failed */\n put_net()\n /* after out_err_crypto_release label */\n put_net()\n /* after out_err label */\n put_net()\n```\n\nIn the exception handling process where binding the socket fails, the\nget_net() and put_net() calls are unbalanced, which may cause the\nserver->net reference count to drop to zero and be prematurely released.\n\nTo address both issues, this patch ties the netns reference counti\n---truncated---" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "fs/smb/client/connect.c" |
| ], |
| "versions": [ |
| { |
| "version": "e8c71494181153a134c96da28766a57bd1eac8cb", |
| "lessThan": "c6b6b8dcef4adf8ee4e439bb97e74106096c71b8", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "ef7134c7fc48e1441b398e55a862232868a6f0a7", |
| "lessThan": "7d8dfc27d90d41627c0d6ada97ed0ab57b3dae25", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "ef7134c7fc48e1441b398e55a862232868a6f0a7", |
| "lessThan": "961755d0055e0e96d1849cc0425da966c8a64e53", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "ef7134c7fc48e1441b398e55a862232868a6f0a7", |
| "lessThan": "476617a4ca0123f0df677d547a82a110c27c8c74", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "ef7134c7fc48e1441b398e55a862232868a6f0a7", |
| "lessThan": "4e7f1644f2ac6d01dc584f6301c3b1d5aac4eaef", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "c7f9282fc27fc36dbaffc8527c723de264a132f8", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "fs/smb/client/connect.c" |
| ], |
| "versions": [ |
| { |
| "version": "6.12", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "6.12", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.6.87", |
| "lessThanOrEqual": "6.6.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.12.23", |
| "lessThanOrEqual": "6.12.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.13.11", |
| "lessThanOrEqual": "6.13.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.14.2", |
| "lessThanOrEqual": "6.14.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.15-rc1", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.6.62", |
| "versionEndExcluding": "6.6.87" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.12", |
| "versionEndExcluding": "6.12.23" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.12", |
| "versionEndExcluding": "6.13.11" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.12", |
| "versionEndExcluding": "6.14.2" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.12", |
| "versionEndExcluding": "6.15-rc1" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.11.9" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/c6b6b8dcef4adf8ee4e439bb97e74106096c71b8" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/7d8dfc27d90d41627c0d6ada97ed0ab57b3dae25" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/961755d0055e0e96d1849cc0425da966c8a64e53" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/476617a4ca0123f0df677d547a82a110c27c8c74" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/4e7f1644f2ac6d01dc584f6301c3b1d5aac4eaef" |
| } |
| ], |
| "title": "smb: client: Fix netns refcount imbalance causing leaks and use-after-free", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2025-37835", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
