Content: A new vulnerability (CVE-2025-21673) has been resolved in the Linux kernel. This vulnerability is related to the smb client, where a double free occurs in the TCP_Server_Info::hostname. The issue arises when shutting down the server in cifs_put_tcp_session(). The cifsd thread might reconnect to multiple DFS targets before realizing it should exit the loop, in which case the @server->hostname cannot be freed until the cifsd thread is done. If not resolved, this could lead to a crash or potentially even arbitrary code execution.
Here is a code snippet of the call trace that shows the issue
Call Trace:
<TASK>
? show_trace_log_lvl+x1c4/x2df
? show_trace_log_lvl+x1c4/x2df
? __reconnect_target_unlocked+x3e/x160 [cifs]
? __die_body.cold+x8/xd
? die+x2b/x50
? do_trap+xce/x120
? __slab_free+x223/x3c
? do_error_trap+x65/x80
? __slab_free+x223/x3c
? exc_invalid_op+x4e/x70
? __slab_free+x223/x3c
? asm_exc_invalid_op+x16/x20
? __slab_free+x223/x3c
? extract_hostname+x5c/xa [cifs]
? extract_hostname+x5c/xa [cifs]
? __kmalloc+x4b/x140
__reconnect_target_unlocked+x3e/x160 [cifs]
reconnect_dfs_server+x145/x430 [cifs]
cifs_handle_standard+x1ad/x1d [cifs]
cifs_demultiplex_thread+x592/x730 [cifs]
? __pfx_cifs_demultiplex_thread+x10/x10 [cifs]
kthread+xdd/x100
? __pfx_kthread+x10/x10
ret_from_fork+x29/x50
</TASK>
You can refer to the original commit for this fix here.
Exploit Details
- The vulnerability exists when shutting down the server in cifs_put_tcp_session() in the Linux kernel.
This can lead to a crash or potentially even arbitrary code execution.
To avoid such vulnerabilities, it is important to keep the Linux kernel updated and patched. In this specific case, the vulnerability has been fixed by making sure that the @server->hostname is not freed as long as the cifsd thread is not done. By ensuring that your Linux kernel is up-to-date with the latest security patches, you should be protected against this vulnerability.
Timeline
Published on: 01/31/2025 12:15:28 UTC
Last modified on: 02/04/2025 15:33:41 UTC