CVE-2024-26951

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wireguard: netlink: check for dangling peer via is_dead instead of empty list<br /> <br /> If all peers are removed via wg_peer_remove_all(), rather than setting<br /> peer_list to empty, the peer is added to a temporary list with a head on<br /> the stack of wg_peer_remove_all(). If a netlink dump is resumed and the<br /> cursored peer is one that has been removed via wg_peer_remove_all(), it<br /> will iterate from that peer and then attempt to dump freed peers.<br /> <br /> Fix this by instead checking peer-&gt;is_dead, which was explictly created<br /> for this purpose. Also move up the device_update_lock lockdep assertion,<br /> since reading is_dead relies on that.<br /> <br /> It can be reproduced by a small script like:<br /> <br /> echo "Setting config..."<br /> ip link add dev wg0 type wireguard<br /> wg setconf wg0 /big-config<br /> (<br /> while true; do<br /> echo "Showing config..."<br /> wg showconf wg0 &gt; /dev/null<br /> done<br /> ) &amp;<br /> sleep 4<br /> wg setconf wg0