CVE-2025-21673
Severity CVSS v4.0:
Pending analysis
Type:
CWE-415
Double Free
Publication date:
31/01/2025
Last modified:
04/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
smb: client: fix double free of TCP_Server_Info::hostname<br />
<br />
When shutting down the server in cifs_put_tcp_session(), cifsd thread<br />
might be reconnecting to multiple DFS targets before it realizes it<br />
should exit the loop, so @server->hostname can&#39;t be freed as long as<br />
cifsd thread isn&#39;t done. Otherwise the following can happen:<br />
<br />
RIP: 0010:__slab_free+0x223/0x3c0<br />
Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89<br />
1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <br />
0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80<br />
RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246<br />
RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068<br />
RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400<br />
RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000<br />
R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500<br />
R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068<br />
FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000)<br />
000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4:<br />
PKRU: 55555554<br />
Call Trace:<br />
<br />
? show_trace_log_lvl+0x1c4/0x2df<br />
? show_trace_log_lvl+0x1c4/0x2df<br />
? __reconnect_target_unlocked+0x3e/0x160 [cifs]<br />
? __die_body.cold+0x8/0xd<br />
? die+0x2b/0x50<br />
? do_trap+0xce/0x120<br />
? __slab_free+0x223/0x3c0<br />
? do_error_trap+0x65/0x80<br />
? __slab_free+0x223/0x3c0<br />
? exc_invalid_op+0x4e/0x70<br />
? __slab_free+0x223/0x3c0<br />
? asm_exc_invalid_op+0x16/0x20<br />
? __slab_free+0x223/0x3c0<br />
? extract_hostname+0x5c/0xa0 [cifs]<br />
? extract_hostname+0x5c/0xa0 [cifs]<br />
? __kmalloc+0x4b/0x140<br />
__reconnect_target_unlocked+0x3e/0x160 [cifs]<br />
reconnect_dfs_server+0x145/0x430 [cifs]<br />
cifs_handle_standard+0x1ad/0x1d0 [cifs]<br />
cifs_demultiplex_thread+0x592/0x730 [cifs]<br />
? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]<br />
kthread+0xdd/0x100<br />
? __pfx_kthread+0x10/0x10<br />
ret_from_fork+0x29/0x50<br />
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.14.19 (including) | 5.15 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.3 (including) | 6.6.74 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page