CVE-2024-53178

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-53178
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53178.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-53178
Downstream
Related
Published
2024-12-27T13:49:22.085Z
Modified
2025-11-16T08:59:11.226527Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
smb: Don't leak cfid when reconnect races with open_cached_dir
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: Don't leak cfid when reconnect races with opencacheddir

opencacheddir() may either race with the tcon reconnection even before compoundsendrecv() or directly trigger a reconnection via SMB2openinit() or SMBqueryinfo_init().

The reconnection process invokes invalidateallcacheddirs() via cifsmarkopenfilesinvalid(), which removes all cfids from the cfids->entries list but doesn't drop a ref if haslease isn't true. This results in the currently-being-constructed cfid not being on the list, but still having a refcount of 2. It leaks if returned from opencacheddir().

Fix this by setting cfid->has_lease when the ref is actually taken; the cfid will not be used by other threads until it has a valid time.

Addresses these kmemleaks:

unreferenced object 0xffff8881090c4000 (size 1024): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 32 bytes): 00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ........"....... 00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff ..E"......O..... backtrace (crc 6f58c20f): [<ffffffff8b895a1e>] _kmalloccachenoprof+0x2be/0x350 [<ffffffff8bda06e3>] opencacheddir+0x993/0x1fb0 [<ffffffff8bdaa750>] cifsreaddir+0x15a0/0x1d50 [<ffffffff8b9a853f>] iteratedir+0x28f/0x4b0 [<ffffffff8b9a9aed>] _x64sysgetdents64+0xfd/0x200 [<ffffffff8cf6da05>] dosyscall64+0x95/0x1a0 [<ffffffff8d00012f>] entrySYSCALL64afterhwframe+0x76/0x7e unreferenced object 0xffff8881044fdcf8 (size 8): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 8 bytes): 00 cc cc cc cc cc cc cc ........ backtrace (crc 10c106a9): [<ffffffff8b89a3d3>] _kmallocnodetrackcallernoprof+0x363/0x480 [<ffffffff8b7d7256>] kstrdup+0x36/0x60 [<ffffffff8bda0700>] opencacheddir+0x9b0/0x1fb0 [<ffffffff8bdaa750>] cifsreaddir+0x15a0/0x1d50 [<ffffffff8b9a853f>] iteratedir+0x28f/0x4b0 [<ffffffff8b9a9aed>] _x64sysgetdents64+0xfd/0x200 [<ffffffff8cf6da05>] dosyscall64+0x95/0x1a0 [<ffffffff8d00012f>] entrySYSCALL64afterhwframe+0x76/0x7e

And addresses these BUG splats when unmounting the SMB filesystem:

BUG: Dentry ffff888140590ba0{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] WARNING: CPU: 3 PID: 3433 at fs/dcache.c:1536 umountcheck+0xd0/0x100 Modules linked in: CPU: 3 UID: 0 PID: 3433 Comm: bash Not tainted 6.12.0-rc4-g850925a8133c-dirty #49 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:umountcheck+0xd0/0x100 Code: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff <0f> 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41 RSP: 0018:ffff88811cc27978 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888140590ba0 RCX: ffffffffaaf20bae RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881f6fb6f40 RBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3 R10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08 R13: 0000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0 FS: 00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0 Call Trace: <TASK> dwalk+0x6a/0x530 shrinkdcacheforumount+0x6a/0x200 genericshutdownsuper+0x52/0x2a0 killanonsuper+0x22/0x40 cifskillsb+0x159/0x1e0 deactivatelockedsuper+0x66/0xe0 cleanupmnt+0x140/0x210 taskworkrun+0xfb/0x170 syscallexittousermode+0x29f/0x2b0 dosyscall64+0xa1/0x1a0 entrySYSCALL64after_hwframe+0x76/0x7e RIP: 0033:0x7f23bfb93ae7 Code: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01 b8 ff ff ff ff eb bf 0f 1f 44 00 00 b8 50 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 92 0d 00 f7 d8 64 89 ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ebe98f1447bbccf8228335c62d86af02a0ed23f7
Fixed
31fabf70d58388d5475e48ca8a6b7d2847b36678
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ebe98f1447bbccf8228335c62d86af02a0ed23f7
Fixed
1d76332d783db12684b67592f1fb2057b88af4c3
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ebe98f1447bbccf8228335c62d86af02a0ed23f7
Fixed
73a57b25b4df23f22814fc06b7e8f9cf570be026
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ebe98f1447bbccf8228335c62d86af02a0ed23f7
Fixed
7afb86733685c64c604d32faf00fa4a1f22c2ab1

Affected versions

v6.*

v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.10
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.11.6
v6.11.7
v6.11.8
v6.11.9
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2024-53178-32c85f28",
        "digest": {
            "line_hashes": [
                "256700178829366002923101513533625744189",
                "125477545336577110918239450330020581939",
                "321316049628787600934755915943503438926",
                "81133716801839105563341510572358129350",
                "300680398817971673786925793307096856613",
                "222612725037871592007830324485754105213",
                "304889980592107084552205957799582757182",
                "186307141239804535463245447296097034776",
                "119640234309434033715232701255127592167",
                "317432564139036478131500730251438291508",
                "31828686643132972728996544707361292858",
                "15948169875047769054193137452261626135",
                "282364967853545580936303949311702307187"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7afb86733685c64c604d32faf00fa4a1f22c2ab1",
        "signature_version": "v1",
        "target": {
            "file": "fs/smb/client/cached_dir.c"
        }
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2024-53178-414cee12",
        "digest": {
            "length": 4996.0,
            "function_hash": "155467224071291539599103303644679234565"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@31fabf70d58388d5475e48ca8a6b7d2847b36678",
        "signature_version": "v1",
        "target": {
            "file": "fs/smb/client/cached_dir.c",
            "function": "open_cached_dir"
        }
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2024-53178-449530d5",
        "digest": {
            "length": 931.0,
            "function_hash": "40631451838328313324358736155599555192"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@31fabf70d58388d5475e48ca8a6b7d2847b36678",
        "signature_version": "v1",
        "target": {
            "file": "fs/smb/client/cached_dir.c",
            "function": "find_or_create_cached_dir"
        }
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2024-53178-5c7da214",
        "digest": {
            "line_hashes": [
                "256700178829366002923101513533625744189",
                "125477545336577110918239450330020581939",
                "321316049628787600934755915943503438926",
                "81133716801839105563341510572358129350",
                "300680398817971673786925793307096856613",
                "222612725037871592007830324485754105213",
                "304889980592107084552205957799582757182",
                "186307141239804535463245447296097034776",
                "119640234309434033715232701255127592167",
                "317432564139036478131500730251438291508",
                "31828686643132972728996544707361292858",
                "15948169875047769054193137452261626135",
                "282364967853545580936303949311702307187"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d76332d783db12684b67592f1fb2057b88af4c3",
        "signature_version": "v1",
        "target": {
            "file": "fs/smb/client/cached_dir.c"
        }
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2024-53178-9236880c",
        "digest": {
            "line_hashes": [
                "256700178829366002923101513533625744189",
                "125477545336577110918239450330020581939",
                "321316049628787600934755915943503438926",
                "81133716801839105563341510572358129350",
                "300680398817971673786925793307096856613",
                "222612725037871592007830324485754105213",
                "304889980592107084552205957799582757182",
                "186307141239804535463245447296097034776",
                "119640234309434033715232701255127592167",
                "317432564139036478131500730251438291508",
                "31828686643132972728996544707361292858",
                "15948169875047769054193137452261626135",
                "282364967853545580936303949311702307187"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@31fabf70d58388d5475e48ca8a6b7d2847b36678",
        "signature_version": "v1",
        "target": {
            "file": "fs/smb/client/cached_dir.c"
        }
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2024-53178-aa603012",
        "digest": {
            "length": 4996.0,
            "function_hash": "155467224071291539599103303644679234565"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@73a57b25b4df23f22814fc06b7e8f9cf570be026",
        "signature_version": "v1",
        "target": {
            "file": "fs/smb/client/cached_dir.c",
            "function": "open_cached_dir"
        }
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2024-53178-b92128cc",
        "digest": {
            "length": 931.0,
            "function_hash": "40631451838328313324358736155599555192"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d76332d783db12684b67592f1fb2057b88af4c3",
        "signature_version": "v1",
        "target": {
            "file": "fs/smb/client/cached_dir.c",
            "function": "find_or_create_cached_dir"
        }
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2024-53178-bbc0f0ce",
        "digest": {
            "line_hashes": [
                "256700178829366002923101513533625744189",
                "125477545336577110918239450330020581939",
                "321316049628787600934755915943503438926",
                "81133716801839105563341510572358129350",
                "300680398817971673786925793307096856613",
                "222612725037871592007830324485754105213",
                "304889980592107084552205957799582757182",
                "186307141239804535463245447296097034776",
                "119640234309434033715232701255127592167",
                "317432564139036478131500730251438291508",
                "31828686643132972728996544707361292858",
                "15948169875047769054193137452261626135",
                "282364967853545580936303949311702307187"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@73a57b25b4df23f22814fc06b7e8f9cf570be026",
        "signature_version": "v1",
        "target": {
            "file": "fs/smb/client/cached_dir.c"
        }
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2024-53178-cc7c80f0",
        "digest": {
            "length": 4996.0,
            "function_hash": "155467224071291539599103303644679234565"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7afb86733685c64c604d32faf00fa4a1f22c2ab1",
        "signature_version": "v1",
        "target": {
            "file": "fs/smb/client/cached_dir.c",
            "function": "open_cached_dir"
        }
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2024-53178-d50a1838",
        "digest": {
            "length": 931.0,
            "function_hash": "40631451838328313324358736155599555192"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@73a57b25b4df23f22814fc06b7e8f9cf570be026",
        "signature_version": "v1",
        "target": {
            "file": "fs/smb/client/cached_dir.c",
            "function": "find_or_create_cached_dir"
        }
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2024-53178-ebd1810c",
        "digest": {
            "length": 931.0,
            "function_hash": "40631451838328313324358736155599555192"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7afb86733685c64c604d32faf00fa4a1f22c2ab1",
        "signature_version": "v1",
        "target": {
            "file": "fs/smb/client/cached_dir.c",
            "function": "find_or_create_cached_dir"
        }
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2024-53178-ee7a1b13",
        "digest": {
            "length": 4996.0,
            "function_hash": "155467224071291539599103303644679234565"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d76332d783db12684b67592f1fb2057b88af4c3",
        "signature_version": "v1",
        "target": {
            "file": "fs/smb/client/cached_dir.c",
            "function": "open_cached_dir"
        }
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.6.64
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.11.11
Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.2