ACK: [SRU][J/F][PATCH 0/2] CVE-2024-53168

Ian Whitfield ian.whitfield at canonical.com
Sat May 3 00:00:48 UTC 2025 

On Thu, May 01, 2025 at 06:00:56PM +0200, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2024-53168
> 
> [ Impact ]
> 
> CVE-2024-53168 is a UAF vulnerability in the SunRPC subsystem,
> specifically within the TCP socket handling fro RPC clients.
> 
> The vulnerability stems from the premature deallocation of the
> network namespace (net) structure associated with a TCP socket
> used by the SunRPC client. When a network namespace is deleted,
> its associated resources, including sockets, are expected
> to be cleaned up. However, due to a race condition,
> the TCP socket's retransmission timer (tcp_write_timer_handler)
> may still be active and attempt to access the now-freed net structure,
> leading to a Use-After-Free scenario.
> 
> The fix involves holding a reference to the net structure
> for the duration of the TCP socket's lifecycle.
> This ensures that the network namespace remains valid
> until all associated timers and callbacks have completed.
> 
> [ Fix ]
> 
> Oracular: Fixed via upstream stable updates (LP: #2091655)
> Noble: Fixed via upstream stable updates (LP: #2101915)
> Jammy: Cherry picked a dependency and backported the fix commit
> Focal: Backported both a dependency and the fix commit
> 
> 
> [ Test Plan ]
> 
> Compiled and boot tested.
> Stress tested as follows:
> 
> # Host terminal
> $ sudo apt install -y nfs-kernel-server
> 
> $sudo mkdir -p /mnt/nfs/nfs_server && sudo chmod 777 /mnt/nfs/nfs_server
> 
> $ sudo mkfs.ext4 -F /dev/sdb && sudo mount /dev/sdb /mnt/nfs/nfs_server
> 
> $ echo "/mnt/nfs/nfs_server 192.168.1.0/24(rw,no_root_squash,no_subtree_check,insecure,sync)" | sudo tee /etc/exports
> $ sudo exportfs -r && sudo systemctl restart nfs-kernel-server
> 
> $ sudo unshare --mount --net --uts --ipc --pid --fork --mount-proc bash
> 
> $ sudo ip link add veth_server type veth peer name veth_client
> $ sudo ip addr add 192.168.1.1/24 dev veth_server
> $ sudo ip link set veth_server up
> $ sudo ip link set veth_client netns <pid> # Find the pid of the namespace with (ps aux | grep bash | grep unshare)
> 
> # Unshare terminal
> 
> $ ip addr add 192.168.1.2/24 dev veth_client
> $ ip link set veth_client up
> $ ip route add default via 192.168.1.1
> 
> $ mount -t proc proc /proc
> 
> $ mkdir -p /mnt/nfs/nfs_client && chmod 777 /mnt/nfs/nfs_client
> 
> $ mount -t nfs -o vers=4.1,proto=tcp 192.168.1.1:/mnt/nfs/nfs_server /mnt/nfs/nfs_client
> 
> $ stress-ng \
>     --hdd 4 \
>     --io 2 \
>     --aio 2 \
>     --dir 2 \
>     --aggressive \
>     --timeout 300s \
>     --temp-path /mnt/nfs/nfs_client \
>     --metrics-brief
>     
> $ umount /mnt/nfs/nfs_client
> 
> During the stress test KASAN was enabled, in particular:
> CONFIG_FRAME_WARN = 2048
> CONFIG_RANDOMIZE_BASE = n
> CONFIG_KASAN = y
> CONFIG_KASAN_OUTLINE = y
> CONFIG_KASAN_VMALLOC = y (only in Jammy)
> CONFIG_SLUB_DEBUG = y
> CONFIG_SLUB_DEBUG_ON = y
> 
> [ Where Problems Could Occur ]
> 
> The fix affects the SunRPC client-side TCP transport subsystem.
> An issue with this fix may lead to incorrect handling of reference counting
> for network namespace structures.
> A user might experience problems such as kernel panics or memory corruption
> when unmounting NFS shares from network namespaces, particularly under concurrent
> loads or frequent netns creation and deletion, potentially resulting in system instability
> or denial of service.
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Ian Whitfield <ian.whitfield at canonical.com>

More information about the kernel-team mailing list