CVE-2024-53095

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: Fix use-after-free of network namespace.<br /> <br /> Recently, we got a customer report that CIFS triggers oops while<br /> reconnecting to a server. [0]<br /> <br /> The workload runs on Kubernetes, and some pods mount CIFS servers<br /> in non-root network namespaces. The problem rarely happened, but<br /> it was always while the pod was dying.<br /> <br /> The root cause is wrong reference counting for network namespace.<br /> <br /> CIFS uses kernel sockets, which do not hold refcnt of the netns that<br /> the socket belongs to. That means CIFS must ensure the socket is<br /> always freed before its netns; otherwise, use-after-free happens.<br /> <br /> The repro steps are roughly:<br /> <br /> 1. mount CIFS in a non-root netns<br /> 2. drop packets from the netns<br /> 3. destroy the netns<br /> 4. unmount CIFS<br /> <br /> We can reproduce the issue quickly with the script [1] below and see<br /> the splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.<br /> <br /> When the socket is TCP, it is hard to guarantee the netns lifetime<br /> without holding refcnt due to async timers.<br /> <br /> Let&amp;#39;s hold netns refcnt for each socket as done for SMC in commit<br /> 9744d2bf1976 ("smc: Fix use-after-free in tcp_write_timer_handler().").<br /> <br /> Note that we need to move put_net() from cifs_put_tcp_session() to<br /> clean_demultiplex_info(); otherwise, __sock_create() still could touch a<br /> freed netns while cifsd tries to reconnect from cifs_demultiplex_thread().<br /> <br /> Also, maybe_get_net() cannot be put just before __sock_create() because<br /> the code is not under RCU and there is a small chance that the same<br /> address happened to be reallocated to another netns.<br /> <br /> [0]:<br /> CIFS: VFS: \\XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...<br /> CIFS: Serverclose failed 4 times, giving up<br /> Unable to handle kernel paging request at virtual address 14de99e461f84a07<br /> Mem abort info:<br /> ESR = 0x0000000096000004<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x04: level 0 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000004<br /> CM = 0, WnR = 0<br /> [14de99e461f84a07] address between user and kernel address ranges<br /> Internal error: Oops: 0000000096000004 [#1] SMP<br /> Modules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfs<br /> CPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1<br /> Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018<br /> pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : fib_rules_lookup+0x44/0x238<br /> lr : __fib_lookup+0x64/0xbc<br /> sp : ffff8000265db790<br /> x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01<br /> x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580<br /> x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500<br /> x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000<br /> x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000<br /> x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002<br /> x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294<br /> x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000<br /> x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0<br /> x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500<br /> Call trace:<br /> fib_rules_lookup+0x44/0x238<br /> __fib_lookup+0x64/0xbc<br /> ip_route_output_key_hash_rcu+0x2c4/0x398<br /> ip_route_output_key_hash+0x60/0x8c<br /> tcp_v4_connect+0x290/0x488<br /> __inet_stream_connect+0x108/0x3d0<br /> inet_stream_connect+0x50/0x78<br /> kernel_connect+0x6c/0xac<br /> generic_ip_conne<br /> ---truncated---