github - ghsa-m2h6-g9h7-jxfj

ghsa-m2h6-g9h7-jxfj

Vulnerability from github

Published

2024-12-27 15:31

Modified

2025-02-03 15:32

Severity ?

7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

In the Linux kernel, the following vulnerability has been resolved:

net: avoid potential UAF in default_operstate()

syzbot reported an UAF in default_operstate() [1]

Issue is a race between device and netns dismantles.

After calling __rtnl_unlock() from netdev_run_todo(), we can not assume the netns of each device is still alive.

Make sure the device is not in NETREG_UNREGISTERED state, and add an ASSERT_RTNL() before the call to __dev_get_by_index().

We might move this ASSERT_RTNL() in __dev_get_by_index() in the future.

[1]

BUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 Read of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339

CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 default_operstate net/core/link_watch.c:51 [inline] rfc2863_policy+0x224/0x300 net/core/link_watch.c:67 linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170 netdev_run_todo+0x461/0x1000 net/core/dev.c:10894 rtnl_unlock net/core/rtnetlink.c:152 [inline] rtnl_net_unlock include/linux/rtnetlink.h:133 [inline] rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520 rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 _syssendmsg+0x52a/0x7e0 net/socket.c:2583 _sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2a3cb80809 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008 RBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8

Allocated by task 5339: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kmalloc_array_noprof include/linux/slab.h:945 [inline] netdev_create_hash net/core/dev.c:11870 [inline] netdev_init+0x10c/0x250 net/core/dev.c:11890 ops_init+0x31e/0x590 net/core/net_namespace.c:138 setup_net+0x287/0x9e0 net/core/net_namespace.c:362 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x57d/0xa70 kernel/fork.c:3314 __do_sys_unshare kernel/fork.c:3385 [inline] __se_sys_unshare kernel/fork.c:3383 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x8 ---truncated---

Show details on source website

JSON

To clipboard

{
   affected: [],
   aliases: [
      "CVE-2024-56635",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-362",
         "CWE-416",
      ],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2024-12-27T15:15:23Z",
      severity: "HIGH",
   },
   details: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid potential UAF in default_operstate()\n\nsyzbot reported an UAF in default_operstate() [1]\n\nIssue is a race between device and netns dismantles.\n\nAfter calling __rtnl_unlock() from netdev_run_todo(),\nwe can not assume the netns of each device is still alive.\n\nMake sure the device is not in NETREG_UNREGISTERED state,\nand add an ASSERT_RTNL() before the call to\n__dev_get_by_index().\n\nWe might move this ASSERT_RTNL() in __dev_get_by_index()\nin the future.\n\n[1]\n\nBUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852\nRead of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339\n\nCPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:378 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:489\n  kasan_report+0x143/0x180 mm/kasan/report.c:602\n  __dev_get_by_index+0x5d/0x110 net/core/dev.c:852\n  default_operstate net/core/link_watch.c:51 [inline]\n  rfc2863_policy+0x224/0x300 net/core/link_watch.c:67\n  linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170\n  netdev_run_todo+0x461/0x1000 net/core/dev.c:10894\n  rtnl_unlock net/core/rtnetlink.c:152 [inline]\n  rtnl_net_unlock include/linux/rtnetlink.h:133 [inline]\n  rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520\n  rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541\n  netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n  netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n  netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n  sock_sendmsg_nosec net/socket.c:711 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:726\n  ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n  ___sys_sendmsg net/socket.c:2637 [inline]\n  __sys_sendmsg+0x269/0x350 net/socket.c:2669\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2a3cb80809\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809\nRDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008\nRBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8\n </TASK>\n\nAllocated by task 5339:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n  kasan_kmalloc include/linux/kasan.h:260 [inline]\n  __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314\n  kmalloc_noprof include/linux/slab.h:901 [inline]\n  kmalloc_array_noprof include/linux/slab.h:945 [inline]\n  netdev_create_hash net/core/dev.c:11870 [inline]\n  netdev_init+0x10c/0x250 net/core/dev.c:11890\n  ops_init+0x31e/0x590 net/core/net_namespace.c:138\n  setup_net+0x287/0x9e0 net/core/net_namespace.c:362\n  copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500\n  create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110\n  unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228\n  ksys_unshare+0x57d/0xa70 kernel/fork.c:3314\n  __do_sys_unshare kernel/fork.c:3385 [inline]\n  __se_sys_unshare kernel/fork.c:3383 [inline]\n  __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x8\n---truncated---",
   id: "GHSA-m2h6-g9h7-jxfj",
   modified: "2025-02-03T15:32:01Z",
   published: "2024-12-27T15:31:55Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2024-56635",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/316183d58319f191e16503bc2dffa156c4442df2",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/3265aab0736f78bb218200b06b1abb525c316269",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/750e51603395e755537da08f745864c93e3ce741",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
         type: "CVSS_V3",
      },
   ],
}

cve-2024-56635

Vulnerability from cvelistv5

Published

2024-12-27 15:02

Modified

2025-02-10 17:21

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net: avoid potential UAF in default_operstate() syzbot reported an UAF in default_operstate() [1] Issue is a race between device and netns dismantles. After calling __rtnl_unlock() from netdev_run_todo(), we can not assume the netns of each device is still alive. Make sure the device is not in NETREG_UNREGISTERED state, and add an ASSERT_RTNL() before the call to __dev_get_by_index(). We might move this ASSERT_RTNL() in __dev_get_by_index() in the future. [1] BUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 Read of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339 CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 default_operstate net/core/link_watch.c:51 [inline] rfc2863_policy+0x224/0x300 net/core/link_watch.c:67 linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170 netdev_run_todo+0x461/0x1000 net/core/dev.c:10894 rtnl_unlock net/core/rtnetlink.c:152 [inline] rtnl_net_unlock include/linux/rtnetlink.h:133 [inline] rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520 rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2a3cb80809 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008 RBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8 </TASK> Allocated by task 5339: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kmalloc_array_noprof include/linux/slab.h:945 [inline] netdev_create_hash net/core/dev.c:11870 [inline] netdev_init+0x10c/0x250 net/core/dev.c:11890 ops_init+0x31e/0x590 net/core/net_namespace.c:138 setup_net+0x287/0x9e0 net/core/net_namespace.c:362 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x57d/0xa70 kernel/fork.c:3314 __do_sys_unshare kernel/fork.c:3385 [inline] __se_sys_unshare kernel/fork.c:3383 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x8 ---truncated---

References

▼	URL	Tags
	https://git.kernel.org/stable/c/3265aab0736f78bb218200b06b1abb525c316269
	https://git.kernel.org/stable/c/316183d58319f191e16503bc2dffa156c4442df2
	https://git.kernel.org/stable/c/750e51603395e755537da08f745864c93e3ce741

Impacted products

Vendor

Product

Version

▼

Linux

Version: 8c55facecd7ade835287298ce325f930d888d8ec
Version: 8c55facecd7ade835287298ce325f930d888d8ec
Version: 8c55facecd7ade835287298ce325f930d888d8ec

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "LOCAL",
                     availabilityImpact: "HIGH",
                     baseScore: 7.8,
                     baseSeverity: "HIGH",
                     confidentialityImpact: "HIGH",
                     integrityImpact: "HIGH",
                     privilegesRequired: "LOW",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2024-56635",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-02-10T17:12:40.278798Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            problemTypes: [
               {
                  descriptions: [
                     {
                        cweId: "CWE-416",
                        description: "CWE-416 Use After Free",
                        lang: "en",
                        type: "CWE",
                     },
                  ],
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-02-10T17:21:08.285Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Linux",
               programFiles: [
                  "net/core/link_watch.c",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     lessThan: "3265aab0736f78bb218200b06b1abb525c316269",
                     status: "affected",
                     version: "8c55facecd7ade835287298ce325f930d888d8ec",
                     versionType: "git",
                  },
                  {
                     lessThan: "316183d58319f191e16503bc2dffa156c4442df2",
                     status: "affected",
                     version: "8c55facecd7ade835287298ce325f930d888d8ec",
                     versionType: "git",
                  },
                  {
                     lessThan: "750e51603395e755537da08f745864c93e3ce741",
                     status: "affected",
                     version: "8c55facecd7ade835287298ce325f930d888d8ec",
                     versionType: "git",
                  },
               ],
            },
            {
               defaultStatus: "affected",
               product: "Linux",
               programFiles: [
                  "net/core/link_watch.c",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     status: "affected",
                     version: "6.2",
                  },
                  {
                     lessThan: "6.2",
                     status: "unaffected",
                     version: "0",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.6.*",
                     status: "unaffected",
                     version: "6.6.66",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.12.*",
                     status: "unaffected",
                     version: "6.12.5",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "*",
                     status: "unaffected",
                     version: "6.13",
                     versionType: "original_commit_for_fix",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid potential UAF in default_operstate()\n\nsyzbot reported an UAF in default_operstate() [1]\n\nIssue is a race between device and netns dismantles.\n\nAfter calling __rtnl_unlock() from netdev_run_todo(),\nwe can not assume the netns of each device is still alive.\n\nMake sure the device is not in NETREG_UNREGISTERED state,\nand add an ASSERT_RTNL() before the call to\n__dev_get_by_index().\n\nWe might move this ASSERT_RTNL() in __dev_get_by_index()\nin the future.\n\n[1]\n\nBUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852\nRead of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339\n\nCPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:378 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:489\n  kasan_report+0x143/0x180 mm/kasan/report.c:602\n  __dev_get_by_index+0x5d/0x110 net/core/dev.c:852\n  default_operstate net/core/link_watch.c:51 [inline]\n  rfc2863_policy+0x224/0x300 net/core/link_watch.c:67\n  linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170\n  netdev_run_todo+0x461/0x1000 net/core/dev.c:10894\n  rtnl_unlock net/core/rtnetlink.c:152 [inline]\n  rtnl_net_unlock include/linux/rtnetlink.h:133 [inline]\n  rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520\n  rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541\n  netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n  netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n  netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n  sock_sendmsg_nosec net/socket.c:711 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:726\n  ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n  ___sys_sendmsg net/socket.c:2637 [inline]\n  __sys_sendmsg+0x269/0x350 net/socket.c:2669\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2a3cb80809\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809\nRDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008\nRBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8\n </TASK>\n\nAllocated by task 5339:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n  kasan_kmalloc include/linux/kasan.h:260 [inline]\n  __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314\n  kmalloc_noprof include/linux/slab.h:901 [inline]\n  kmalloc_array_noprof include/linux/slab.h:945 [inline]\n  netdev_create_hash net/core/dev.c:11870 [inline]\n  netdev_init+0x10c/0x250 net/core/dev.c:11890\n  ops_init+0x31e/0x590 net/core/net_namespace.c:138\n  setup_net+0x287/0x9e0 net/core/net_namespace.c:362\n  copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500\n  create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110\n  unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228\n  ksys_unshare+0x57d/0xa70 kernel/fork.c:3314\n  __do_sys_unshare kernel/fork.c:3385 [inline]\n  __se_sys_unshare kernel/fork.c:3383 [inline]\n  __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x8\n---truncated---",
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-01-20T06:24:40.654Z",
            orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            shortName: "Linux",
         },
         references: [
            {
               url: "https://git.kernel.org/stable/c/3265aab0736f78bb218200b06b1abb525c316269",
            },
            {
               url: "https://git.kernel.org/stable/c/316183d58319f191e16503bc2dffa156c4442df2",
            },
            {
               url: "https://git.kernel.org/stable/c/750e51603395e755537da08f745864c93e3ce741",
            },
         ],
         title: "net: avoid potential UAF in default_operstate()",
         x_generator: {
            engine: "bippy-5f407fcff5a0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      assignerShortName: "Linux",
      cveId: "CVE-2024-56635",
      datePublished: "2024-12-27T15:02:38.213Z",
      dateReserved: "2024-12-27T15:00:39.838Z",
      dateUpdated: "2025-02-10T17:21:08.285Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted