1. Home
  2. Vulnerabilities
  3. CVE-2024-54680
0.0
NA
CVE-2024-54680
Linux Kernel Samba SMB Client NetNS Reference Counting Vulnerability
Description

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

INFO

Published Date :

Jan. 11, 2025, 1:15 p.m.

Last Modified :

April 2, 2025, 4:15 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Products

The following products are affected by CVE-2024-54680 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
Solution
No remediation necessary for this rejected CVE.
  • Confirm no action is needed for rejected CVEs.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-54680 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2024-54680 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Rejected by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Apr. 02, 2025

    Action Type Old Value New Value
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Apr. 02, 2025

    Action Type Old Value New Value
    Changed Description In the Linux kernel, the following vulnerability has been resolved: smb: client: fix TCP timers deadlock after rmmod Commit ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.") fixed a netns UAF by manually enabled socket refcounting (sk->sk_net_refcnt=1 and sock_inuse_add(net, 1)). The reason the patch worked for that bug was because we now hold references to the netns (get_net_track() gets a ref internally) and they're properly released (internally, on __sk_destruct()), but only because sk->sk_net_refcnt was set. Problem: (this happens regardless of CONFIG_NET_NS_REFCNT_TRACKER and regardless if init_net or other) Setting sk->sk_net_refcnt=1 *manually* and *after* socket creation is not only out of cifs scope, but also technically wrong -- it's set conditionally based on user (=1) vs kernel (=0) sockets. And net/ implementations seem to base their user vs kernel space operations on it. e.g. upon TCP socket close, the TCP timers are not cleared because sk->sk_net_refcnt=1: (cf. commit 151c9c724d05 ("tcp: properly terminate timers for kernel sockets")) net/ipv4/tcp.c: void tcp_close(struct sock *sk, long timeout) { lock_sock(sk); __tcp_close(sk, timeout); release_sock(sk); if (!sk->sk_net_refcnt) inet_csk_clear_xmit_timers_sync(sk); sock_put(sk); } Which will throw a lockdep warning and then, as expected, deadlock on tcp_write_timer(). A way to reproduce this is by running the reproducer from ef7134c7fc48 and then 'rmmod cifs'. A few seconds later, the deadlock/lockdep warning shows up. Fix: We shouldn't mess with socket internals ourselves, so do not set sk_net_refcnt manually. Also change __sock_create() to sock_create_kern() for explicitness. As for non-init_net network namespaces, we deal with it the best way we can -- hold an extra netns reference for server->ssocket and drop it when it's released. This ensures that the netns still exists whenever we need to create/destroy server->ssocket, but is not directly tied to it. Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
    Removed CVSS V3.1 NIST: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Removed CVSS V3.1 CISA-ADP: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Removed CWE NIST: CWE-667
    Removed CWE CISA-ADP: CWE-416
    Removed CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.11.9 up to (excluding) 6.12.7 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.6.62 up to (excluding) 6.6.68
    Removed Reference kernel.org: https://git.kernel.org/stable/c/127e907e11ccd54b59bb78fc22c43ccb76c71079
    Removed Reference kernel.org: https://git.kernel.org/stable/c/906807c734ed219dcb2e7bbfde5c4168ed72a3d0
    Removed Reference kernel.org: https://git.kernel.org/stable/c/e9f2517a3e18a54a3943c098d2226b245d488801
    Removed Reference Type kernel.org: https://git.kernel.org/stable/c/127e907e11ccd54b59bb78fc22c43ccb76c71079 Types: Patch
    Removed Reference Type kernel.org: https://git.kernel.org/stable/c/906807c734ed219dcb2e7bbfde5c4168ed72a3d0 Types: Patch
    Removed Reference Type kernel.org: https://git.kernel.org/stable/c/e9f2517a3e18a54a3943c098d2226b245d488801 Types: Patch
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Feb. 10, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-416
  • Initial Analysis by [email protected]

    Jan. 16, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Added CWE NIST CWE-667
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.6.62 up to (excluding) 6.6.68 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.11.9 up to (excluding) 6.12.7 *cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*
    Changed Reference Type https://git.kernel.org/stable/c/127e907e11ccd54b59bb78fc22c43ccb76c71079 No Types Assigned https://git.kernel.org/stable/c/127e907e11ccd54b59bb78fc22c43ccb76c71079 Patch
    Changed Reference Type https://git.kernel.org/stable/c/906807c734ed219dcb2e7bbfde5c4168ed72a3d0 No Types Assigned https://git.kernel.org/stable/c/906807c734ed219dcb2e7bbfde5c4168ed72a3d0 Patch
    Changed Reference Type https://git.kernel.org/stable/c/e9f2517a3e18a54a3943c098d2226b245d488801 No Types Assigned https://git.kernel.org/stable/c/e9f2517a3e18a54a3943c098d2226b245d488801 Patch
  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jan. 11, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: smb: client: fix TCP timers deadlock after rmmod Commit ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.") fixed a netns UAF by manually enabled socket refcounting (sk->sk_net_refcnt=1 and sock_inuse_add(net, 1)). The reason the patch worked for that bug was because we now hold references to the netns (get_net_track() gets a ref internally) and they're properly released (internally, on __sk_destruct()), but only because sk->sk_net_refcnt was set. Problem: (this happens regardless of CONFIG_NET_NS_REFCNT_TRACKER and regardless if init_net or other) Setting sk->sk_net_refcnt=1 *manually* and *after* socket creation is not only out of cifs scope, but also technically wrong -- it's set conditionally based on user (=1) vs kernel (=0) sockets. And net/ implementations seem to base their user vs kernel space operations on it. e.g. upon TCP socket close, the TCP timers are not cleared because sk->sk_net_refcnt=1: (cf. commit 151c9c724d05 ("tcp: properly terminate timers for kernel sockets")) net/ipv4/tcp.c: void tcp_close(struct sock *sk, long timeout) { lock_sock(sk); __tcp_close(sk, timeout); release_sock(sk); if (!sk->sk_net_refcnt) inet_csk_clear_xmit_timers_sync(sk); sock_put(sk); } Which will throw a lockdep warning and then, as expected, deadlock on tcp_write_timer(). A way to reproduce this is by running the reproducer from ef7134c7fc48 and then 'rmmod cifs'. A few seconds later, the deadlock/lockdep warning shows up. Fix: We shouldn't mess with socket internals ourselves, so do not set sk_net_refcnt manually. Also change __sock_create() to sock_create_kern() for explicitness. As for non-init_net network namespaces, we deal with it the best way we can -- hold an extra netns reference for server->ssocket and drop it when it's released. This ensures that the netns still exists whenever we need to create/destroy server->ssocket, but is not directly tied to it.
    Added Reference https://git.kernel.org/stable/c/127e907e11ccd54b59bb78fc22c43ccb76c71079
    Added Reference https://git.kernel.org/stable/c/906807c734ed219dcb2e7bbfde5c4168ed72a3d0
    Added Reference https://git.kernel.org/stable/c/e9f2517a3e18a54a3943c098d2226b245d488801
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
No CVSS metrics available for this vulnerability.