CVE-2024-35887
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
19/05/2024
Last modified:
31/12/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ax25: fix use-after-free bugs caused by ax25_ds_del_timer<br />
<br />
When the ax25 device is detaching, the ax25_dev_device_down()<br />
calls ax25_ds_del_timer() to cleanup the slave_timer. When<br />
the timer handler is running, the ax25_ds_del_timer() that<br />
calls del_timer() in it will return directly. As a result,<br />
the use-after-free bugs could happen, one of the scenarios<br />
is shown below:<br />
<br />
(Thread 1) | (Thread 2)<br />
| ax25_ds_timeout()<br />
ax25_dev_device_down() |<br />
ax25_ds_del_timer() |<br />
del_timer() |<br />
ax25_dev_put() //FREE |<br />
| ax25_dev-> //USE<br />
<br />
In order to mitigate bugs, when the device is detaching, use<br />
timer_shutdown_sync() to stop the timer.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.12 (including) | 6.6.26 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.8.5 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/74204bf9050f7627aead9875fe4e07ba125cb19b
- https://git.kernel.org/stable/c/c6a368f9c7af4c14b14d390c2543af8001c9bdb9
- https://git.kernel.org/stable/c/fd819ad3ecf6f3c232a06b27423ce9ed8c20da89
- https://git.kernel.org/stable/c/74204bf9050f7627aead9875fe4e07ba125cb19b
- https://git.kernel.org/stable/c/c6a368f9c7af4c14b14d390c2543af8001c9bdb9
- https://git.kernel.org/stable/c/fd819ad3ecf6f3c232a06b27423ce9ed8c20da89