nvd-json-data-feeds/CVE-2024/CVE-2024-531xx/CVE-2024-53178.json

{
  "id": "CVE-2024-53178",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2024-12-27T14:15:25.183",
  "lastModified": "2024-12-27T14:15:25.183",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: Don't leak cfid when reconnect races with open_cached_dir\n\nopen_cached_dir() may either race with the tcon reconnection even before\ncompound_send_recv() or directly trigger a reconnection via\nSMB2_open_init() or SMB_query_info_init().\n\nThe reconnection process invokes invalidate_all_cached_dirs() via\ncifs_mark_open_files_invalid(), which removes all cfids from the\ncfids->entries list but doesn't drop a ref if has_lease isn't true. This\nresults in the currently-being-constructed cfid not being on the list,\nbut still having a refcount of 2. It leaks if returned from\nopen_cached_dir().\n\nFix this by setting cfid->has_lease when the ref is actually taken; the\ncfid will not be used by other threads until it has a valid time.\n\nAddresses these kmemleaks:\n\nunreferenced object 0xffff8881090c4000 (size 1024):\n  comm \"bash\", pid 1860, jiffies 4295126592\n  hex dump (first 32 bytes):\n    00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de  ........\".......\n    00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff  ..E\"......O.....\n  backtrace (crc 6f58c20f):\n    [<ffffffff8b895a1e>] __kmalloc_cache_noprof+0x2be/0x350\n    [<ffffffff8bda06e3>] open_cached_dir+0x993/0x1fb0\n    [<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50\n    [<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0\n    [<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200\n    [<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0\n    [<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e\nunreferenced object 0xffff8881044fdcf8 (size 8):\n  comm \"bash\", pid 1860, jiffies 4295126592\n  hex dump (first 8 bytes):\n    00 cc cc cc cc cc cc cc                          ........\n  backtrace (crc 10c106a9):\n    [<ffffffff8b89a3d3>] __kmalloc_node_track_caller_noprof+0x363/0x480\n    [<ffffffff8b7d7256>] kstrdup+0x36/0x60\n    [<ffffffff8bda0700>] open_cached_dir+0x9b0/0x1fb0\n    [<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50\n    [<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0\n    [<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200\n    [<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0\n    [<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nAnd addresses these BUG splats when unmounting the SMB filesystem:\n\nBUG: Dentry ffff888140590ba0{i=1000000000080,n=/}  still in use (2) [unmount of cifs cifs]\nWARNING: CPU: 3 PID: 3433 at fs/dcache.c:1536 umount_check+0xd0/0x100\nModules linked in:\nCPU: 3 UID: 0 PID: 3433 Comm: bash Not tainted 6.12.0-rc4-g850925a8133c-dirty #49\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:umount_check+0xd0/0x100\nCode: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff <0f> 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41\nRSP: 0018:ffff88811cc27978 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff888140590ba0 RCX: ffffffffaaf20bae\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881f6fb6f40\nRBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3\nR10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08\nR13: 0000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0\nFS:  00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n d_walk+0x6a/0x530\n shrink_dcache_for_umount+0x6a/0x200\n generic_shutdown_super+0x52/0x2a0\n kill_anon_super+0x22/0x40\n cifs_kill_sb+0x159/0x1e0\n deactivate_locked_super+0x66/0xe0\n cleanup_mnt+0x140/0x210\n task_work_run+0xfb/0x170\n syscall_exit_to_user_mode+0x29f/0x2b0\n do_syscall_64+0xa1/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f23bfb93ae7\nCode: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01 b8 ff ff ff ff eb bf 0f 1f 44 00 00 b8 50 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 92 0d 00 f7 d8 64 89 \n---truncated---"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: No filtrar cfid cuando la reconexi\u00f3n compite con open_cached_dir open_cached_dir() puede competir con la reconexi\u00f3n tcon incluso antes de Compound_send_recv() o activar directamente una reconexi\u00f3n a trav\u00e9s de SMB2_open_init() o SMB_query_info_init(). El proceso de reconexi\u00f3n invoca invalidate_all_cached_dirs() a trav\u00e9s de cifs_mark_open_files_invalid(), que elimina todos los cfids de la lista cfids-&gt;entries pero no elimina una referencia si has_lease no es verdadero. Esto da como resultado que el cfid que se est\u00e1 construyendo actualmente no est\u00e9 en la lista, pero a\u00fan tenga un recuento de referencias de 2. Se filtra si se devuelve desde open_cached_dir(). Solucione esto configurando cfid-&gt;has_lease cuando la referencia se toma realmente; el cfid no ser\u00e1 utilizado por otros subprocesos hasta que tenga un tiempo v\u00e1lido. Aborda estos kmemleaks: objeto sin referencia 0xffff8881090c4000 (tama\u00f1o 1024): comm \"bash\", pid 1860, jiffies 4295126592 volcado hexadecimal (primeros 32 bytes): 00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ..........\"....... 00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff ..E\"...O..... backtrace (crc 6f58c20f): [] __kmalloc_cache_noprof+0x2be/0x350 [] directorio_cach\u00e9_abierto+0x993/0x1fb0 [] directorio_lectura_cifs+0x15a0/0x1d50 [] directorio_iteraci\u00f3n+0x28f/0x4b0 [] __x64_sys_getdents64+0xfd/0x200 [] llamada_al_sistema_64+0x95/0x1a0 [] entrada_SYSCALL_64_despu\u00e9s_de_hwframe+0x76/0x7e objeto sin referencia 0xffff8881044fdcf8 (tama\u00f1o 8): comm \"bash\", pid 1860, jiffies 4295126592 volcado hexadecimal (primeros 8 bytes): 00 cc cc cc cc cc cc cc cc ........ seguimiento inverso (crc 10c106a9): [] __kmalloc_node_track_caller_noprof+0x363/0x480 [] kstrdup+0x36/0x60 [] open_cached_dir+0x9b0/0x1fb0 [] cifs_readdir+0x15a0/0x1d50 [] iterate_dir+0x28f/0x4b0 [] __x64_sys_getdents64+0xfd/0x200 [] do_syscall_64+0x95/0x1a0 [] entry_SYSCALL_64_after_hwframe+0x76/0x7e Y soluciona estos errores al desmontar el sistema de archivos SMB: ERROR: Dentry ffff888140590ba0{i=1000000000080,n=/} todav\u00eda en uso (2) [desmontaje de cifs cifs] ADVERTENCIA: CPU: 3 PID: 3433 en fs/dcache.c:1536 umount_check+0xd0/0x100 M\u00f3dulos vinculados: CPU: 3 UID: 0 PID: 3433 Comm: bash No contaminado 6.12.0-rc4-g850925a8133c-dirty #49 Nombre del hardware: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/11/2020 RIP: 0010:umount_check+0xd0/0x100 C\u00f3digo: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff &lt;0f&gt; 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41 RSP: 0018:ffff88811cc27978 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888140590ba0 RCX: fffffffaaf20bae RDX: dffffc0000000000 RSI: 00000000000000008 RDI: ffff8881f6fb6f40 RBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3 R10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08 R13: 00000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0 FS: 00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0 Seguimiento de llamadas:  d_walk+0x6a/0x530 encoger_dcache_for_umount+0x6a/0x200 apagado_gen\u00e9rico_super+0x52/0x2a0 matar_an\u00f3nimo_super+0x22/0x40 matar_sb_cifs+0x159/0x1e0 desactivar_bloqueado_super+0x66/0xe0 desinfecci\u00f3n_mnt+0x140/0x210 ejecuci\u00f3n_trabajo_tarea+0xfb/0x170 salida_llamada_al_sistema_al_modo_usuario+0x29f/0x2b0 llamada_al_sistema_64+0xa1/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f23bfb93ae7 C\u00f3digo: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01  ---truncado---"
    }
  ],
  "metrics": {},
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/1d76332d783db12684b67592f1fb2057b88af4c3",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/31fabf70d58388d5475e48ca8a6b7d2847b36678",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/73a57b25b4df23f22814fc06b7e8f9cf570be026",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/7afb86733685c64c604d32faf00fa4a1f22c2ab1",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ]
}