Linux Kernel CIFS Module Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's CIFS (Common Internet File System) module. This issue arises when the CIFS module is unloaded while an underlying TCP socket is still active, leading to a discrepancy between the module's lifecycle and the socket's state. The vulnerability is triggered by initializing a socket lock class in the CIFS module, which can then be unloaded while the socket is in a 'FIN_WAIT_1' state, causing a null pointer dereference when the lock class is accessed after the module has been removed.

Impact

Exploitation of this vulnerability leads to a kernel null pointer dereference, causing a crash by attempting to read a non-existent memory address.

Reproduction

To reproduce this vulnerability, first mount a CIFS share and add an iptables rule to drop incoming FIN packets for CIFS. After unmounting the CIFS share, unload the CIFS module while the underlying TCP socket is still alive, then remove the iptables rule. The CIFS module will call 'sock_release()' for the TCP socket, but the socket will remain in 'FIN_WAIT_1' because incoming FIN packets are being dropped. This allows the 'rmmod' command to succeed, even though the socket is still active, leading to the null pointer dereference when LOCKDEP is enabled.

Remediation

No specific remediation is mentioned, but it is suggested to ensure that a module calling 'sock_lock_init_class_and_name()' cannot be unloaded while the associated socket is still alive.