cve-2024-53140
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:40
Severity ?
EPSS score ?
0.03% (0.04765)
Summary
In the Linux kernel, the following vulnerability has been resolved: netlink: terminate outstanding dump on socket close Netlink supports iterative dumping of data. It provides the families the following ops: - start - (optional) kicks off the dumping process - dump - actual dump helper, keeps getting called until it returns 0 - done - (optional) pairs with .start, can be used for cleanup The whole process is asynchronous and the repeated calls to .dump don't actually happen in a tight loop, but rather are triggered in response to recvmsg() on the socket. This gives the user full control over the dump, but also means that the user can close the socket without getting to the end of the dump. To make sure .start is always paired with .done we check if there is an ongoing dump before freeing the socket, and if so call .done. The complication is that sockets can get freed from BH and .done is allowed to sleep. So we use a workqueue to defer the call, when needed. Unfortunately this does not work correctly. What we defer is not the cleanup but rather releasing a reference on the socket. We have no guarantee that we own the last reference, if someone else holds the socket they may release it in BH and we're back to square one. The whole dance, however, appears to be unnecessary. Only the user can interact with dumps, so we can clean up when socket is closed. And close always happens in process context. Some async code may still access the socket after close, queue notification skbs to it etc. but no dumps can start, end or otherwise make progress. Delete the workqueue and flush the dump state directly from the release handler. Note that further cleanup is possible in -next, for instance we now always call .done before releasing the main module reference, so dump doesn't have to take a reference of its own.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/114a61d8d94ae3a43b82446cf737fd757021b834Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/176c41b3ca9281a9736b67c6121b03dbf0c8c08fPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1904fb9ebf911441f90a68e96b22aa73e4410505Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258af52a98Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/598c956b62699c3753929602560d8df322e60559
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05caPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603
Impacted products
Vendor Product Version
Linux Linux Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
 Create a notification for this product.
   Linux Linux Version: 4.9
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Linux",
               programFiles: [
                  "net/netlink/af_netlink.c",
                  "net/netlink/af_netlink.h",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     lessThan: "114a61d8d94ae3a43b82446cf737fd757021b834",
                     status: "affected",
                     version: "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
                     versionType: "git",
                  },
                  {
                     lessThan: "598c956b62699c3753929602560d8df322e60559",
                     status: "affected",
                     version: "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
                     versionType: "git",
                  },
                  {
                     lessThan: "6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4",
                     status: "affected",
                     version: "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
                     versionType: "git",
                  },
                  {
                     lessThan: "d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603",
                     status: "affected",
                     version: "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
                     versionType: "git",
                  },
                  {
                     lessThan: "4e87a52133284afbd40fb522dbf96e258af52a98",
                     status: "affected",
                     version: "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
                     versionType: "git",
                  },
                  {
                     lessThan: "bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca",
                     status: "affected",
                     version: "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
                     versionType: "git",
                  },
                  {
                     lessThan: "176c41b3ca9281a9736b67c6121b03dbf0c8c08f",
                     status: "affected",
                     version: "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
                     versionType: "git",
                  },
                  {
                     lessThan: "1904fb9ebf911441f90a68e96b22aa73e4410505",
                     status: "affected",
                     version: "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
                     versionType: "git",
                  },
               ],
            },
            {
               defaultStatus: "affected",
               product: "Linux",
               programFiles: [
                  "net/netlink/af_netlink.c",
                  "net/netlink/af_netlink.h",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     status: "affected",
                     version: "4.9",
                  },
                  {
                     lessThan: "4.9",
                     status: "unaffected",
                     version: "0",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "4.19.*",
                     status: "unaffected",
                     version: "4.19.325",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "5.4.*",
                     status: "unaffected",
                     version: "5.4.287",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "5.10.*",
                     status: "unaffected",
                     version: "5.10.231",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "5.15.*",
                     status: "unaffected",
                     version: "5.15.174",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.1.*",
                     status: "unaffected",
                     version: "6.1.119",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.6.*",
                     status: "unaffected",
                     version: "6.6.63",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.11.*",
                     status: "unaffected",
                     version: "6.11.10",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "*",
                     status: "unaffected",
                     version: "6.12",
                     versionType: "original_commit_for_fix",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: terminate outstanding dump on socket close\n\nNetlink supports iterative dumping of data. It provides the families\nthe following ops:\n - start - (optional) kicks off the dumping process\n - dump  - actual dump helper, keeps getting called until it returns 0\n - done  - (optional) pairs with .start, can be used for cleanup\nThe whole process is asynchronous and the repeated calls to .dump\ndon't actually happen in a tight loop, but rather are triggered\nin response to recvmsg() on the socket.\n\nThis gives the user full control over the dump, but also means that\nthe user can close the socket without getting to the end of the dump.\nTo make sure .start is always paired with .done we check if there\nis an ongoing dump before freeing the socket, and if so call .done.\n\nThe complication is that sockets can get freed from BH and .done\nis allowed to sleep. So we use a workqueue to defer the call, when\nneeded.\n\nUnfortunately this does not work correctly. What we defer is not\nthe cleanup but rather releasing a reference on the socket.\nWe have no guarantee that we own the last reference, if someone\nelse holds the socket they may release it in BH and we're back\nto square one.\n\nThe whole dance, however, appears to be unnecessary. Only the user\ncan interact with dumps, so we can clean up when socket is closed.\nAnd close always happens in process context. Some async code may\nstill access the socket after close, queue notification skbs to it etc.\nbut no dumps can start, end or otherwise make progress.\n\nDelete the workqueue and flush the dump state directly from the release\nhandler. Note that further cleanup is possible in -next, for instance\nwe now always call .done before releasing the main module reference,\nso dump doesn't have to take a reference of its own.",
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-12-19T09:40:09.982Z",
            orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            shortName: "Linux",
         },
         references: [
            {
               url: "https://git.kernel.org/stable/c/114a61d8d94ae3a43b82446cf737fd757021b834",
            },
            {
               url: "https://git.kernel.org/stable/c/598c956b62699c3753929602560d8df322e60559",
            },
            {
               url: "https://git.kernel.org/stable/c/6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4",
            },
            {
               url: "https://git.kernel.org/stable/c/d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603",
            },
            {
               url: "https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258af52a98",
            },
            {
               url: "https://git.kernel.org/stable/c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca",
            },
            {
               url: "https://git.kernel.org/stable/c/176c41b3ca9281a9736b67c6121b03dbf0c8c08f",
            },
            {
               url: "https://git.kernel.org/stable/c/1904fb9ebf911441f90a68e96b22aa73e4410505",
            },
         ],
         title: "netlink: terminate outstanding dump on socket close",
         x_generator: {
            engine: "bippy-5f407fcff5a0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      assignerShortName: "Linux",
      cveId: "CVE-2024-53140",
      datePublished: "2024-12-04T14:20:44.914Z",
      dateReserved: "2024-11-19T17:17:24.997Z",
      dateUpdated: "2024-12-19T09:40:09.982Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2024-53140\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-12-04T15:15:16.803\",\"lastModified\":\"2024-12-14T21:15:38.317\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetlink: terminate outstanding dump on socket close\\n\\nNetlink supports iterative dumping of data. It provides the families\\nthe following ops:\\n - start - (optional) kicks off the dumping process\\n - dump  - actual dump helper, keeps getting called until it returns 0\\n - done  - (optional) pairs with .start, can be used for cleanup\\nThe whole process is asynchronous and the repeated calls to .dump\\ndon't actually happen in a tight loop, but rather are triggered\\nin response to recvmsg() on the socket.\\n\\nThis gives the user full control over the dump, but also means that\\nthe user can close the socket without getting to the end of the dump.\\nTo make sure .start is always paired with .done we check if there\\nis an ongoing dump before freeing the socket, and if so call .done.\\n\\nThe complication is that sockets can get freed from BH and .done\\nis allowed to sleep. So we use a workqueue to defer the call, when\\nneeded.\\n\\nUnfortunately this does not work correctly. What we defer is not\\nthe cleanup but rather releasing a reference on the socket.\\nWe have no guarantee that we own the last reference, if someone\\nelse holds the socket they may release it in BH and we're back\\nto square one.\\n\\nThe whole dance, however, appears to be unnecessary. Only the user\\ncan interact with dumps, so we can clean up when socket is closed.\\nAnd close always happens in process context. Some async code may\\nstill access the socket after close, queue notification skbs to it etc.\\nbut no dumps can start, end or otherwise make progress.\\n\\nDelete the workqueue and flush the dump state directly from the release\\nhandler. Note that further cleanup is possible in -next, for instance\\nwe now always call .done before releasing the main module reference,\\nso dump doesn't have to take a reference of its own.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netlink: termina el volcado pendiente al cerrar el socket Netlink admite el volcado iterativo de datos. Proporciona a las familias las siguientes operaciones: - start - (opcional) inicia el proceso de volcado - dump - asistente de volcado real, se sigue llamando hasta que devuelve 0 - done - (opcional) se empareja con .start, se puede usar para limpieza Todo el proceso es asincrónico y las llamadas repetidas a .dump en realidad no ocurren en un bucle cerrado, sino que se activan en respuesta a recvmsg() en el socket. Esto le da al usuario control total sobre el volcado, pero también significa que el usuario puede cerrar el socket sin llegar al final del volcado. Para asegurarnos de que .start siempre esté emparejado con .done, verificamos si hay un volcado en curso antes de liberar el socket y, si es así, llamamos a .done. La complicación es que los sockets pueden liberarse de BH y se permite que .done duerma. Entonces, usamos una cola de trabajo para diferir la llamada, cuando sea necesario. Lamentablemente, esto no funciona correctamente. Lo que postergamos no es la limpieza, sino la liberación de una referencia en el socket. No tenemos garantía de que seamos dueños de la última referencia; si alguien más tiene el socket, puede liberarlo en BH y volvemos al punto de partida. Sin embargo, todo el baile parece ser innecesario. Solo el usuario puede interactuar con los volcados, por lo que podemos limpiar cuando se cierra el socket. Y el cierre siempre ocurre en el contexto del proceso. Es posible que algún código asincrónico aún acceda al socket después del cierre, ponga en cola skbs de notificación, etc., pero ningún volcado puede comenzar, finalizar o avanzar de otro modo. Elimine la cola de trabajo y vacíe el estado del volcado directamente desde el controlador de liberación. Tenga en cuenta que es posible realizar una desinfección adicional en -next, por ejemplo, ahora siempre llamamos a .done antes de liberar la referencia del módulo principal, por lo que el volcado no tiene que tomar una referencia propia.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.4.38\",\"versionEndExcluding\":\"4.5\",\"matchCriteriaId\":\"5248A519-0AF6-4AC1-8ECE-37F8CD8EBC14\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.8.14\",\"versionEndExcluding\":\"4.9\",\"matchCriteriaId\":\"F21838E0-EAFD-46C4-BBE5-5A923017C905\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.9\",\"versionEndExcluding\":\"6.1.119\",\"matchCriteriaId\":\"E7CBFDD0-07CC-4753-80B2-E08589BDD9EF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.63\",\"matchCriteriaId\":\"8800BB45-48BC-4B52-BDA5-B1E4633F42E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.11.10\",\"matchCriteriaId\":\"C256F46A-AFDD-4B99-AA4F-67D9D9D2C55A\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/114a61d8d94ae3a43b82446cf737fd757021b834\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/176c41b3ca9281a9736b67c6121b03dbf0c8c08f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1904fb9ebf911441f90a68e96b22aa73e4410505\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258af52a98\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/598c956b62699c3753929602560d8df322e60559\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}",
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.