fkie_cve-2024-50036
Vulnerability from fkie_nvd
Published
2024-10-21 20:15
Modified
2024-11-17 15:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: do not delay dst_entries_add() in dst_release()
dst_entries_add() uses per-cpu data that might be freed at netns
dismantle from ip6_route_net_exit() calling dst_entries_destroy()
Before ip6_route_net_exit() can be called, we release all
the dsts associated with this netns, via calls to dst_release(),
which waits an rcu grace period before calling dst_destroy()
dst_entries_add() use in dst_destroy() is racy, because
dst_entries_destroy() could have been called already.
Decrementing the number of dsts must happen sooner.
Notes:
1) in CONFIG_XFRM case, dst_destroy() can call
dst_release_immediate(child), this might also cause UAF
if the child does not have DST_NOCOUNT set.
IPSEC maintainers might take a look and see how to address this.
2) There is also discussion about removing this count of dst,
which might happen in future kernels.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | 6.12 | |
| linux | linux_kernel | 6.12 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "EB008871-978A-402A-8407-15291079DC44", versionEndExcluding: "3.11", versionStartIncluding: "3.10.50", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "597B9ABF-E2FF-405B-8226-0BD990181032", versionEndExcluding: "3.13", versionStartIncluding: "3.12.26", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "6241E34F-0DAB-4BE0-AD33-1BEEDA5841C9", versionEndExcluding: "3.15", versionStartIncluding: "3.14.14", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "F88CDBE1-4ECE-4BE4-B2A6-7E814D3EA822", versionEndExcluding: "3.16", versionStartIncluding: "3.15.7", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "8D4764C3-4502-4F9B-8704-85262723C867", versionEndExcluding: "6.6.57", versionStartIncluding: "3.16", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "AA84D336-CE9A-4535-B901-1AD77EC17C34", versionEndExcluding: "6.11.4", versionStartIncluding: "6.7", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", matchCriteriaId: "7F361E1D-580F-4A2D-A509-7615F73167A1", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*", matchCriteriaId: "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not delay dst_entries_add() in dst_release()\n\ndst_entries_add() uses per-cpu data that might be freed at netns\ndismantle from ip6_route_net_exit() calling dst_entries_destroy()\n\nBefore ip6_route_net_exit() can be called, we release all\nthe dsts associated with this netns, via calls to dst_release(),\nwhich waits an rcu grace period before calling dst_destroy()\n\ndst_entries_add() use in dst_destroy() is racy, because\ndst_entries_destroy() could have been called already.\n\nDecrementing the number of dsts must happen sooner.\n\nNotes:\n\n1) in CONFIG_XFRM case, dst_destroy() can call\n dst_release_immediate(child), this might also cause UAF\n if the child does not have DST_NOCOUNT set.\n IPSEC maintainers might take a look and see how to address this.\n\n2) There is also discussion about removing this count of dst,\n which might happen in future kernels.", }, { lang: "es", value: "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: no retrasar dst_entries_add() en dst_release() dst_entries_add() usa datos por CPU que podrían liberarse en el desmantelamiento de netns de ip6_route_net_exit() llamando a dst_entries_destroy() Antes de que se pueda llamar a ip6_route_net_exit(), liberamos todos los dst asociados con este netns, a través de llamadas a dst_release(), que espera un período de gracia de rcu antes de llamar a dst_destroy() El uso de dst_entries_add() en dst_destroy() es arriesgado, porque dst_entries_destroy() ya podría haberse llamado. La disminución del número de dst debe ocurrir antes. Notas: 1) en el caso de CONFIG_XFRM, dst_destroy() puede llamar a dst_release_immediate(child), lo que también podría causar UAF si el hijo no tiene DST_NOCOUNT configurado. Los encargados del mantenimiento de IPSEC podrían echar un vistazo y ver cómo solucionar esto. 2) También se está discutiendo sobre la eliminación de este recuento de dst, lo que podría suceder en kernels futuros.", }, ], id: "CVE-2024-50036", lastModified: "2024-11-17T15:15:18.893", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-10-21T20:15:16.717", references: [ { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", url: "https://git.kernel.org/stable/c/547087307bc19417b4f2bc85ba9664a3e8db5a6a", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", url: "https://git.kernel.org/stable/c/a60db84f772fc3a906c6c4072f9207579c41166f", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/ac888d58869bb99753e7652be19a151df9ecb35d", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", url: "https://git.kernel.org/stable/c/e3915f028b1f1c37e87542e5aadd33728c259d96", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd", }, ], sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.