[SRU][J/F][PATCH 0/2] CVE-2024-53168

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Thu May 1 16:00:56 UTC 2025 

https://ubuntu.com/security/CVE-2024-53168

[ Impact ]

CVE-2024-53168 is a UAF vulnerability in the SunRPC subsystem,
specifically within the TCP socket handling fro RPC clients.

The vulnerability stems from the premature deallocation of the
network namespace (net) structure associated with a TCP socket
used by the SunRPC client. When a network namespace is deleted,
its associated resources, including sockets, are expected
to be cleaned up. However, due to a race condition,
the TCP socket's retransmission timer (tcp_write_timer_handler)
may still be active and attempt to access the now-freed net structure,
leading to a Use-After-Free scenario.

The fix involves holding a reference to the net structure
for the duration of the TCP socket's lifecycle.
This ensures that the network namespace remains valid
until all associated timers and callbacks have completed.

[ Fix ]

Oracular: Fixed via upstream stable updates (LP: #2091655)
Noble: Fixed via upstream stable updates (LP: #2101915)
Jammy: Cherry picked a dependency and backported the fix commit
Focal: Backported both a dependency and the fix commit


[ Test Plan ]

Compiled and boot tested.
Stress tested as follows:

# Host terminal
$ sudo apt install -y nfs-kernel-server

$sudo mkdir -p /mnt/nfs/nfs_server && sudo chmod 777 /mnt/nfs/nfs_server

$ sudo mkfs.ext4 -F /dev/sdb && sudo mount /dev/sdb /mnt/nfs/nfs_server

$ echo "/mnt/nfs/nfs_server 192.168.1.0/24(rw,no_root_squash,no_subtree_check,insecure,sync)" | sudo tee /etc/exports
$ sudo exportfs -r && sudo systemctl restart nfs-kernel-server

$ sudo unshare --mount --net --uts --ipc --pid --fork --mount-proc bash

$ sudo ip link add veth_server type veth peer name veth_client
$ sudo ip addr add 192.168.1.1/24 dev veth_server
$ sudo ip link set veth_server up
$ sudo ip link set veth_client netns <pid> # Find the pid of the namespace with (ps aux | grep bash | grep unshare)

# Unshare terminal

$ ip addr add 192.168.1.2/24 dev veth_client
$ ip link set veth_client up
$ ip route add default via 192.168.1.1

$ mount -t proc proc /proc

$ mkdir -p /mnt/nfs/nfs_client && chmod 777 /mnt/nfs/nfs_client

$ mount -t nfs -o vers=4.1,proto=tcp 192.168.1.1:/mnt/nfs/nfs_server /mnt/nfs/nfs_client

$ stress-ng \
    --hdd 4 \
    --io 2 \
    --aio 2 \
    --dir 2 \
    --aggressive \
    --timeout 300s \
    --temp-path /mnt/nfs/nfs_client \
    --metrics-brief
    
$ umount /mnt/nfs/nfs_client

During the stress test KASAN was enabled, in particular:
CONFIG_FRAME_WARN = 2048
CONFIG_RANDOMIZE_BASE = n
CONFIG_KASAN = y
CONFIG_KASAN_OUTLINE = y
CONFIG_KASAN_VMALLOC = y (only in Jammy)
CONFIG_SLUB_DEBUG = y
CONFIG_SLUB_DEBUG_ON = y

[ Where Problems Could Occur ]

The fix affects the SunRPC client-side TCP transport subsystem.
An issue with this fix may lead to incorrect handling of reference counting
for network namespace structures.
A user might experience problems such as kernel panics or memory corruption
when unmounting NFS shares from network namespaces, particularly under concurrent
loads or frequent netns creation and deletion, potentially resulting in system instability
or denial of service.

More information about the kernel-team mailing list