CVE-2025-21660: Linux Kernel Vulnerability in ksmbd: Fix for Unexpectedly Changed Path in ksmbd_vfs_kern_path_locked

A vulnerability has been discovered and resolved in the Linux kernel, specifically in the Kernel-based Server Message Block Daemon (ksmbd). This vulnerability, identified as CVE-2025-21660, revolves around the unexpectedly changed path in the ksmbd_vfs_kern_path_locked function. This post will delve into the details of this vulnerability and discuss the fix implemented in the Linux kernel.

Description of the Vulnerability

The ksmbd_vfs_kern_path_locked function is responsible for resolving file paths in the ksmbd server. When it encounters an error and it's not the last entry, the path buffer might be unexpectedly changed. This buffer would then potentially be used as the filename for creation later on, leading to incorrect file creation or other unexpected behaviors.

The vulnerability exists because the ksmbd_vfs_kern_path_locked function does not properly restore the path buffer when an error occurs. Therefore, when subsequent file operations are carried out, the incorrect path buffer is used, causing unintended consequences.

Code Snippet

Below is a snippet of the code where the vulnerability existed, along with the fix that was implemented. In the original code, you can see that when an error occurs (highlighted in red), the original path buffer was not restored:

...
    while (!IS_ERR(dentry)) {
        error = ksmbd_vfs_dentry_make_path2buf(p, buffer);
        if (!error) {
            break;
        }

        de = dentry;
        dentry = dget_parent(dentry);
        if (dentry == de) {
            dput(de);
            error = -EINVAL;
            break;
        }
        dput(de);
    }
...

The fix implemented adds a call to restore the original path buffer prior to breaking from the loop (highlighted in green):

...
    while (!IS_ERR(dentry)) {
        error = ksmbd_vfs_dentry_make_path2buf(p, buffer);
        if (!error) {
            break;
        }

        de = dentry;
        dentry = dget_parent(dentry);
        if (dentry == de) {
            dput(de);
            restore_original_buffer(); // New line added
            error = -EINVAL;
            break;
        }
        dput(de);
    }
...

Original References

For more detailed information, you can refer to the original sources that discovered and documented this issue:

1. Official CVE Record - CVE-2025-21660

2. Linux Kernel Mailing List - PATCH v3 ksmbd-fix: Locking fix

3. KSMBD GitHub Repository - ksmbd_vfs.c Code

Exploit Details

As of now, no known exploits have been reported for this vulnerability in the wild. However, it's essential to apply kernel updates and patches as they become available, including the fix for this issue, to ensure the security of your Linux systems.

Conclusion

The CVE-2025-21660 vulnerability in the Linux kernel has been resolved with an update to the ksmbd_vfs_kern_path_locked function. The fix ensures that the original path buffer is correctly restored when an error occurs, preventing any unintended consequences with file operations. It's vital to keep your kernel updated and patched to maintain the security and stability of your Linux systems.

Timeline

Published on: 01/21/2025 13:15:09 UTC