CVE-2024-50036

In the Linux kernel, the following vulnerability has been resolved: net: do not delay dst_entries_add() in dst_release() dst_entries_add() uses per-cpu data that might be freed at netns dismantle from ip6_route_net_exit() calling dst_entries_destroy() Before ip6_route_net_exit() can be called, we release all the dsts associated with this netns, via calls to dst_release(), which waits an rcu grace period before calling dst_destroy() dst_entries_add() use in dst_destroy() is racy, because dst_entries_destroy() could have been called already. Decrementing the number of dsts must happen sooner. Notes: 1) in CONFIG_XFRM case, dst_destroy() can call dst_release_immediate(child), this might also cause UAF if the child does not have DST_NOCOUNT set. IPSEC maintainers might take a look and see how to address this. 2) There is also discussion about removing this count of dst, which might happen in future kernels.

CVSS v3 7.0 HIGH

7.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc	Patch
https://git.kernel.org/stable/c/547087307bc19417b4f2bc85ba9664a3e8db5a6a
https://git.kernel.org/stable/c/a60db84f772fc3a906c6c4072f9207579c41166f
https://git.kernel.org/stable/c/ac888d58869bb99753e7652be19a151df9ecb35d	Patch
https://git.kernel.org/stable/c/e3915f028b1f1c37e87542e5aadd33728c259d96
https://git.kernel.org/stable/c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc2::::::

History

No history.

Information

Published : 2024-10-21 20:15

Updated : 2024-11-17 15:15

NVD link : CVE-2024-50036

Mitre link : CVE-2024-50036

CVE.ORG link : CVE-2024-50036

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

{"id": "CVE-2024-50036", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2024-10-21T20:15:16.717", "references": [{"url": "https://git.kernel.org/stable/c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/547087307bc19417b4f2bc85ba9664a3e8db5a6a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a60db84f772fc3a906c6c4072f9207579c41166f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ac888d58869bb99753e7652be19a151df9ecb35d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e3915f028b1f1c37e87542e5aadd33728c259d96", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not delay dst_entries_add() in dst_release()\n\ndst_entries_add() uses per-cpu data that might be freed at netns\ndismantle from ip6_route_net_exit() calling dst_entries_destroy()\n\nBefore ip6_route_net_exit() can be called, we release all\nthe dsts associated with this netns, via calls to dst_release(),\nwhich waits an rcu grace period before calling dst_destroy()\n\ndst_entries_add() use in dst_destroy() is racy, because\ndst_entries_destroy() could have been called already.\n\nDecrementing the number of dsts must happen sooner.\n\nNotes:\n\n1) in CONFIG_XFRM case, dst_destroy() can call\n dst_release_immediate(child), this might also cause UAF\n if the child does not have DST_NOCOUNT set.\n IPSEC maintainers might take a look and see how to address this.\n\n2) There is also discussion about removing this count of dst,\n which might happen in future kernels."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: no retrasar dst_entries_add() en dst_release() dst_entries_add() usa datos por CPU que podr\u00edan liberarse en el desmantelamiento de netns de ip6_route_net_exit() llamando a dst_entries_destroy() Antes de que se pueda llamar a ip6_route_net_exit(), liberamos todos los dst asociados con este netns, a trav\u00e9s de llamadas a dst_release(), que espera un per\u00edodo de gracia de rcu antes de llamar a dst_destroy() El uso de dst_entries_add() en dst_destroy() es arriesgado, porque dst_entries_destroy() ya podr\u00eda haberse llamado. La disminuci\u00f3n del n\u00famero de dst debe ocurrir antes. Notas: 1) en el caso de CONFIG_XFRM, dst_destroy() puede llamar a dst_release_immediate(child), lo que tambi\u00e9n podr\u00eda causar UAF si el hijo no tiene DST_NOCOUNT configurado. Los encargados del mantenimiento de IPSEC podr\u00edan echar un vistazo y ver c\u00f3mo solucionar esto. 2) Tambi\u00e9n se est\u00e1 discutiendo sobre la eliminaci\u00f3n de este recuento de dst, lo que podr\u00eda suceder en kernels futuros."}], "lastModified": "2024-11-17T15:15:18.893", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB008871-978A-402A-8407-15291079DC44", "versionEndExcluding": "3.11", "versionStartIncluding": "3.10.50"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "597B9ABF-E2FF-405B-8226-0BD990181032", "versionEndExcluding": "3.13", "versionStartIncluding": "3.12.26"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6241E34F-0DAB-4BE0-AD33-1BEEDA5841C9", "versionEndExcluding": "3.15", "versionStartIncluding": "3.14.14"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F88CDBE1-4ECE-4BE4-B2A6-7E814D3EA822", "versionEndExcluding": "3.16", "versionStartIncluding": "3.15.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D4764C3-4502-4F9B-8704-85262723C867", "versionEndExcluding": "6.6.57", "versionStartIncluding": "3.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AA84D336-CE9A-4535-B901-1AD77EC17C34", "versionEndExcluding": "6.11.4", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}