cve-2024-50261
Vulnerability from cvelistv5
Published
2024-11-09 10:15
Modified
2024-12-19 09:36
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
macsec: Fix use-after-free while sending the offloading packet
KASAN reports the following UAF. The metadata_dst, which is used to
store the SCI value for macsec offload, is already freed by
metadata_dst_free() in macsec_free_netdev(), while driver still use it
for sending the packet.
To fix this issue, dst_release() is used instead to release
metadata_dst. So it is not freed instantly in macsec_free_netdev() if
still referenced by skb.
BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]
Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714
[...]
Workqueue: mld mld_ifc_work
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x60
print_report+0xc1/0x600
kasan_report+0xab/0xe0
mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]
dev_hard_start_xmit+0x120/0x530
sch_direct_xmit+0x149/0x11e0
__qdisc_run+0x3ad/0x1730
__dev_queue_xmit+0x1196/0x2ed0
vlan_dev_hard_start_xmit+0x32e/0x510 [8021q]
dev_hard_start_xmit+0x120/0x530
__dev_queue_xmit+0x14a7/0x2ed0
macsec_start_xmit+0x13e9/0x2340
dev_hard_start_xmit+0x120/0x530
__dev_queue_xmit+0x14a7/0x2ed0
ip6_finish_output2+0x923/0x1a70
ip6_finish_output+0x2d7/0x970
ip6_output+0x1ce/0x3a0
NF_HOOK.constprop.0+0x15f/0x190
mld_sendpack+0x59a/0xbd0
mld_ifc_work+0x48a/0xa80
process_one_work+0x5aa/0xe50
worker_thread+0x79c/0x1290
kthread+0x28f/0x350
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x11/0x20
</TASK>
Allocated by task 3922:
kasan_save_stack+0x20/0x40
kasan_save_track+0x10/0x30
__kasan_kmalloc+0x77/0x90
__kmalloc_noprof+0x188/0x400
metadata_dst_alloc+0x1f/0x4e0
macsec_newlink+0x914/0x1410
__rtnl_newlink+0xe08/0x15b0
rtnl_newlink+0x5f/0x90
rtnetlink_rcv_msg+0x667/0xa80
netlink_rcv_skb+0x12c/0x360
netlink_unicast+0x551/0x770
netlink_sendmsg+0x72d/0xbd0
__sock_sendmsg+0xc5/0x190
____sys_sendmsg+0x52e/0x6a0
___sys_sendmsg+0xeb/0x170
__sys_sendmsg+0xb5/0x140
do_syscall_64+0x4c/0x100
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Freed by task 4011:
kasan_save_stack+0x20/0x40
kasan_save_track+0x10/0x30
kasan_save_free_info+0x37/0x50
poison_slab_object+0x10c/0x190
__kasan_slab_free+0x11/0x30
kfree+0xe0/0x290
macsec_free_netdev+0x3f/0x140
netdev_run_todo+0x450/0xc70
rtnetlink_rcv_msg+0x66f/0xa80
netlink_rcv_skb+0x12c/0x360
netlink_unicast+0x551/0x770
netlink_sendmsg+0x72d/0xbd0
__sock_sendmsg+0xc5/0x190
____sys_sendmsg+0x52e/0x6a0
___sys_sendmsg+0xeb/0x170
__sys_sendmsg+0xb5/0x140
do_syscall_64+0x4c/0x100
entry_SYSCALL_64_after_hwframe+0x4b/0x53
References
Impacted products
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-50261", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-12-11T14:25:36.484321Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-416", description: "CWE-416 Use After Free", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-12-11T14:58:32.434Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/macsec.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "872932cf75cf859804370a265dd58118129386fa", status: "affected", version: "0a28bfd4971fd570d1f3e4653b21415becefc92c", versionType: "git", }, { lessThan: "9f5ae743dbe9a2458540a7d35fff0f990df025cf", status: "affected", version: "0a28bfd4971fd570d1f3e4653b21415becefc92c", versionType: "git", }, { lessThan: "4614640f1d5c93c22272117dc256e9940ccac8e8", status: "affected", version: "0a28bfd4971fd570d1f3e4653b21415becefc92c", versionType: "git", }, { lessThan: "f1e54d11b210b53d418ff1476c6b58a2f434dfc0", status: "affected", version: "0a28bfd4971fd570d1f3e4653b21415becefc92c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/macsec.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.1", }, { lessThan: "6.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.116", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.60", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmacsec: Fix use-after-free while sending the offloading packet\n\nKASAN reports the following UAF. The metadata_dst, which is used to\nstore the SCI value for macsec offload, is already freed by\nmetadata_dst_free() in macsec_free_netdev(), while driver still use it\nfor sending the packet.\n\nTo fix this issue, dst_release() is used instead to release\nmetadata_dst. So it is not freed instantly in macsec_free_netdev() if\nstill referenced by skb.\n\n BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]\n Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714\n [...]\n Workqueue: mld mld_ifc_work\n Call Trace:\n <TASK>\n dump_stack_lvl+0x51/0x60\n print_report+0xc1/0x600\n kasan_report+0xab/0xe0\n mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]\n dev_hard_start_xmit+0x120/0x530\n sch_direct_xmit+0x149/0x11e0\n __qdisc_run+0x3ad/0x1730\n __dev_queue_xmit+0x1196/0x2ed0\n vlan_dev_hard_start_xmit+0x32e/0x510 [8021q]\n dev_hard_start_xmit+0x120/0x530\n __dev_queue_xmit+0x14a7/0x2ed0\n macsec_start_xmit+0x13e9/0x2340\n dev_hard_start_xmit+0x120/0x530\n __dev_queue_xmit+0x14a7/0x2ed0\n ip6_finish_output2+0x923/0x1a70\n ip6_finish_output+0x2d7/0x970\n ip6_output+0x1ce/0x3a0\n NF_HOOK.constprop.0+0x15f/0x190\n mld_sendpack+0x59a/0xbd0\n mld_ifc_work+0x48a/0xa80\n process_one_work+0x5aa/0xe50\n worker_thread+0x79c/0x1290\n kthread+0x28f/0x350\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x11/0x20\n </TASK>\n\n Allocated by task 3922:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0x77/0x90\n __kmalloc_noprof+0x188/0x400\n metadata_dst_alloc+0x1f/0x4e0\n macsec_newlink+0x914/0x1410\n __rtnl_newlink+0xe08/0x15b0\n rtnl_newlink+0x5f/0x90\n rtnetlink_rcv_msg+0x667/0xa80\n netlink_rcv_skb+0x12c/0x360\n netlink_unicast+0x551/0x770\n netlink_sendmsg+0x72d/0xbd0\n __sock_sendmsg+0xc5/0x190\n ____sys_sendmsg+0x52e/0x6a0\n ___sys_sendmsg+0xeb/0x170\n __sys_sendmsg+0xb5/0x140\n do_syscall_64+0x4c/0x100\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n Freed by task 4011:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x50\n poison_slab_object+0x10c/0x190\n __kasan_slab_free+0x11/0x30\n kfree+0xe0/0x290\n macsec_free_netdev+0x3f/0x140\n netdev_run_todo+0x450/0xc70\n rtnetlink_rcv_msg+0x66f/0xa80\n netlink_rcv_skb+0x12c/0x360\n netlink_unicast+0x551/0x770\n netlink_sendmsg+0x72d/0xbd0\n __sock_sendmsg+0xc5/0x190\n ____sys_sendmsg+0x52e/0x6a0\n ___sys_sendmsg+0xeb/0x170\n __sys_sendmsg+0xb5/0x140\n do_syscall_64+0x4c/0x100\n entry_SYSCALL_64_after_hwframe+0x4b/0x53", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:36:47.214Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/872932cf75cf859804370a265dd58118129386fa", }, { url: "https://git.kernel.org/stable/c/9f5ae743dbe9a2458540a7d35fff0f990df025cf", }, { url: "https://git.kernel.org/stable/c/4614640f1d5c93c22272117dc256e9940ccac8e8", }, { url: "https://git.kernel.org/stable/c/f1e54d11b210b53d418ff1476c6b58a2f434dfc0", }, ], title: "macsec: Fix use-after-free while sending the offloading packet", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50261", datePublished: "2024-11-09T10:15:14.259Z", dateReserved: "2024-10-21T19:36:19.981Z", dateUpdated: "2024-12-19T09:36:47.214Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { nvd: "{\"cve\":{\"id\":\"CVE-2024-50261\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-09T11:15:11.610\",\"lastModified\":\"2024-12-11T15:15:14.133\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmacsec: Fix use-after-free while sending the offloading packet\\n\\nKASAN reports the following UAF. The metadata_dst, which is used to\\nstore the SCI value for macsec offload, is already freed by\\nmetadata_dst_free() in macsec_free_netdev(), while driver still use it\\nfor sending the packet.\\n\\nTo fix this issue, dst_release() is used instead to release\\nmetadata_dst. So it is not freed instantly in macsec_free_netdev() if\\nstill referenced by skb.\\n\\n BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]\\n Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714\\n [...]\\n Workqueue: mld mld_ifc_work\\n Call Trace:\\n <TASK>\\n dump_stack_lvl+0x51/0x60\\n print_report+0xc1/0x600\\n kasan_report+0xab/0xe0\\n mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]\\n dev_hard_start_xmit+0x120/0x530\\n sch_direct_xmit+0x149/0x11e0\\n __qdisc_run+0x3ad/0x1730\\n __dev_queue_xmit+0x1196/0x2ed0\\n vlan_dev_hard_start_xmit+0x32e/0x510 [8021q]\\n dev_hard_start_xmit+0x120/0x530\\n __dev_queue_xmit+0x14a7/0x2ed0\\n macsec_start_xmit+0x13e9/0x2340\\n dev_hard_start_xmit+0x120/0x530\\n __dev_queue_xmit+0x14a7/0x2ed0\\n ip6_finish_output2+0x923/0x1a70\\n ip6_finish_output+0x2d7/0x970\\n ip6_output+0x1ce/0x3a0\\n NF_HOOK.constprop.0+0x15f/0x190\\n mld_sendpack+0x59a/0xbd0\\n mld_ifc_work+0x48a/0xa80\\n process_one_work+0x5aa/0xe50\\n worker_thread+0x79c/0x1290\\n kthread+0x28f/0x350\\n ret_from_fork+0x2d/0x70\\n ret_from_fork_asm+0x11/0x20\\n </TASK>\\n\\n Allocated by task 3922:\\n kasan_save_stack+0x20/0x40\\n kasan_save_track+0x10/0x30\\n __kasan_kmalloc+0x77/0x90\\n __kmalloc_noprof+0x188/0x400\\n metadata_dst_alloc+0x1f/0x4e0\\n macsec_newlink+0x914/0x1410\\n __rtnl_newlink+0xe08/0x15b0\\n rtnl_newlink+0x5f/0x90\\n rtnetlink_rcv_msg+0x667/0xa80\\n netlink_rcv_skb+0x12c/0x360\\n netlink_unicast+0x551/0x770\\n netlink_sendmsg+0x72d/0xbd0\\n __sock_sendmsg+0xc5/0x190\\n ____sys_sendmsg+0x52e/0x6a0\\n ___sys_sendmsg+0xeb/0x170\\n __sys_sendmsg+0xb5/0x140\\n do_syscall_64+0x4c/0x100\\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\\n\\n Freed by task 4011:\\n kasan_save_stack+0x20/0x40\\n kasan_save_track+0x10/0x30\\n kasan_save_free_info+0x37/0x50\\n poison_slab_object+0x10c/0x190\\n __kasan_slab_free+0x11/0x30\\n kfree+0xe0/0x290\\n macsec_free_netdev+0x3f/0x140\\n netdev_run_todo+0x450/0xc70\\n rtnetlink_rcv_msg+0x66f/0xa80\\n netlink_rcv_skb+0x12c/0x360\\n netlink_unicast+0x551/0x770\\n netlink_sendmsg+0x72d/0xbd0\\n __sock_sendmsg+0xc5/0x190\\n ____sys_sendmsg+0x52e/0x6a0\\n ___sys_sendmsg+0xeb/0x170\\n __sys_sendmsg+0xb5/0x140\\n do_syscall_64+0x4c/0x100\\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: macsec: Se corrige el use-after-free al enviar el paquete de descarga KASAN informa el siguiente UAF. El metadata_dst, que se utiliza para almacenar el valor SCI para la descarga de macsec, ya está liberado por metadata_dst_free() en macsec_free_netdev(), mientras que el controlador aún lo usa para enviar el paquete. Para solucionar este problema, se utiliza dst_release() en su lugar para liberar metadata_dst. Por lo tanto, no se libera instantáneamente en macsec_free_netdev() si aún se hace referencia a él mediante skb. ERROR: KASAN: uso de losa después de la liberación en mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] Lectura de tamaño 2 en la dirección ffff88813e42e038 por la tarea kworker/7:2/714 [...] Cola de trabajo: mld mld_ifc_work Seguimiento de llamadas: dump_stack_lvl+0x51/0x60 print_report+0xc1/0x600 kasan_report+0xab/0xe0 mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] dev_hard_start_xmit+0x120/0x530 sch_direct_xmit+0x149/0x11e0 __qdisc_run+0x3ad/0x1730 __dev_queue_xmit+0x1196/0x2ed0 vlan_dev_hard_start_xmit+0x32e/0x510 [8021q] dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 macsec_start_xmit+0x13e9/0x2340 dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 ip6_finish_output2+0x923/0x1a70 ip6_finish_output+0x2d7/0x970 ip6_output+0x1ce/0x3a0 Asignado por la tarea 3922: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x77/0x90 __kmalloc_noprof+0x188/0x400 metadatos_dst_alloc+0x1f/0x4e0 macsec_newlink+0x914/0x1410 __rtnl_newlink+0xe08/0x15b0 rtnl_newlink+0x5f/0x90 rtnetlink_rcv_msg+0x667/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Liberado por la tarea 4011: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x50 poison_slab_object+0x10c/0x190 __kasan_slab_free+0x11/0x30 kfree+0xe0/0x290 macsec_free_netdev+0x3f/0x140 netdev_run_todo+0x450/0xc70 rtnetlink_rcv_msg+0x66f/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 hacer_syscall_64+0x4c/0x100 entrada_SYSCALL_64_después_hwframe+0x4b/0x53\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1\",\"versionEndExcluding\":\"6.1.116\",\"matchCriteriaId\":\"B71B7466-354C-4D9E-881B-828FC1310D19\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.60\",\"matchCriteriaId\":\"75088E5E-2400-4D20-915F-7A65C55D9CCD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.11.7\",\"matchCriteriaId\":\"E96F53A4-5E87-4A70-BD9A-BC327828D57F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C95E234-D335-4B6C-96BF-E2CEBD8654ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0F717D8-3014-4F84-8086-0124B2111379\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"24DBE6C7-2AAE-4818-AED2-E131F153D2FA\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4614640f1d5c93c22272117dc256e9940ccac8e8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/872932cf75cf859804370a265dd58118129386fa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9f5ae743dbe9a2458540a7d35fff0f990df025cf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f1e54d11b210b53d418ff1476c6b58a2f434dfc0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}", vulnrichment: { containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-50261\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-11T14:25:36.484321Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-11T14:25:38.055Z\"}}], \"cna\": {\"title\": \"macsec: Fix use-after-free while sending the offloading packet\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"0a28bfd4971fd570d1f3e4653b21415becefc92c\", \"lessThan\": \"872932cf75cf859804370a265dd58118129386fa\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"0a28bfd4971fd570d1f3e4653b21415becefc92c\", \"lessThan\": \"9f5ae743dbe9a2458540a7d35fff0f990df025cf\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"0a28bfd4971fd570d1f3e4653b21415becefc92c\", \"lessThan\": \"4614640f1d5c93c22272117dc256e9940ccac8e8\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"0a28bfd4971fd570d1f3e4653b21415becefc92c\", \"lessThan\": \"f1e54d11b210b53d418ff1476c6b58a2f434dfc0\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/macsec.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.1\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.1\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.1.116\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.60\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11.7\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.11.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/macsec.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/872932cf75cf859804370a265dd58118129386fa\"}, {\"url\": \"https://git.kernel.org/stable/c/9f5ae743dbe9a2458540a7d35fff0f990df025cf\"}, {\"url\": \"https://git.kernel.org/stable/c/4614640f1d5c93c22272117dc256e9940ccac8e8\"}, {\"url\": \"https://git.kernel.org/stable/c/f1e54d11b210b53d418ff1476c6b58a2f434dfc0\"}], \"x_generator\": {\"engine\": \"bippy-5f407fcff5a0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmacsec: Fix use-after-free while sending the offloading packet\\n\\nKASAN reports the following UAF. The metadata_dst, which is used to\\nstore the SCI value for macsec offload, is already freed by\\nmetadata_dst_free() in macsec_free_netdev(), while driver still use it\\nfor sending the packet.\\n\\nTo fix this issue, dst_release() is used instead to release\\nmetadata_dst. So it is not freed instantly in macsec_free_netdev() if\\nstill referenced by skb.\\n\\n BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]\\n Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714\\n [...]\\n Workqueue: mld mld_ifc_work\\n Call Trace:\\n <TASK>\\n dump_stack_lvl+0x51/0x60\\n print_report+0xc1/0x600\\n kasan_report+0xab/0xe0\\n mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]\\n dev_hard_start_xmit+0x120/0x530\\n sch_direct_xmit+0x149/0x11e0\\n __qdisc_run+0x3ad/0x1730\\n __dev_queue_xmit+0x1196/0x2ed0\\n vlan_dev_hard_start_xmit+0x32e/0x510 [8021q]\\n dev_hard_start_xmit+0x120/0x530\\n __dev_queue_xmit+0x14a7/0x2ed0\\n macsec_start_xmit+0x13e9/0x2340\\n dev_hard_start_xmit+0x120/0x530\\n __dev_queue_xmit+0x14a7/0x2ed0\\n ip6_finish_output2+0x923/0x1a70\\n ip6_finish_output+0x2d7/0x970\\n ip6_output+0x1ce/0x3a0\\n NF_HOOK.constprop.0+0x15f/0x190\\n mld_sendpack+0x59a/0xbd0\\n mld_ifc_work+0x48a/0xa80\\n process_one_work+0x5aa/0xe50\\n worker_thread+0x79c/0x1290\\n kthread+0x28f/0x350\\n ret_from_fork+0x2d/0x70\\n ret_from_fork_asm+0x11/0x20\\n </TASK>\\n\\n Allocated by task 3922:\\n kasan_save_stack+0x20/0x40\\n kasan_save_track+0x10/0x30\\n __kasan_kmalloc+0x77/0x90\\n __kmalloc_noprof+0x188/0x400\\n metadata_dst_alloc+0x1f/0x4e0\\n macsec_newlink+0x914/0x1410\\n __rtnl_newlink+0xe08/0x15b0\\n rtnl_newlink+0x5f/0x90\\n rtnetlink_rcv_msg+0x667/0xa80\\n netlink_rcv_skb+0x12c/0x360\\n netlink_unicast+0x551/0x770\\n netlink_sendmsg+0x72d/0xbd0\\n __sock_sendmsg+0xc5/0x190\\n ____sys_sendmsg+0x52e/0x6a0\\n ___sys_sendmsg+0xeb/0x170\\n __sys_sendmsg+0xb5/0x140\\n do_syscall_64+0x4c/0x100\\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\\n\\n Freed by task 4011:\\n kasan_save_stack+0x20/0x40\\n kasan_save_track+0x10/0x30\\n kasan_save_free_info+0x37/0x50\\n poison_slab_object+0x10c/0x190\\n __kasan_slab_free+0x11/0x30\\n kfree+0xe0/0x290\\n macsec_free_netdev+0x3f/0x140\\n netdev_run_todo+0x450/0xc70\\n rtnetlink_rcv_msg+0x66f/0xa80\\n netlink_rcv_skb+0x12c/0x360\\n netlink_unicast+0x551/0x770\\n netlink_sendmsg+0x72d/0xbd0\\n __sock_sendmsg+0xc5/0x190\\n ____sys_sendmsg+0x52e/0x6a0\\n ___sys_sendmsg+0xeb/0x170\\n __sys_sendmsg+0xb5/0x140\\n do_syscall_64+0x4c/0x100\\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2024-12-19T09:36:47.214Z\"}}}", cveMetadata: "{\"cveId\": \"CVE-2024-50261\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-19T09:36:47.214Z\", \"dateReserved\": \"2024-10-21T19:36:19.981Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-11-09T10:15:14.259Z\", \"assignerShortName\": \"Linux\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.