CVE-2024-36971

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix __dst_negative_advice() race<br /> <br /> __dst_negative_advice() does not enforce proper RCU rules when<br /> sk-&gt;dst_cache must be cleared, leading to possible UAF.<br /> <br /> RCU rules are that we must first clear sk-&gt;sk_dst_cache,<br /> then call dst_release(old_dst).<br /> <br /> Note that sk_dst_reset(sk) is implementing this protocol correctly,<br /> while __dst_negative_advice() uses the wrong order.<br /> <br /> Given that ip6_negative_advice() has special logic<br /> against RTF_CACHE, this means each of the three -&gt;negative_advice()<br /> existing methods must perform the sk_dst_reset() themselves.<br /> <br /> Note the check against NULL dst is centralized in<br /> __dst_negative_advice(), there is no need to duplicate<br /> it in various callbacks.<br /> <br /> Many thanks to Clement Lecigne for tracking this issue.<br /> <br /> This old bug became visible after the blamed commit, using UDP sockets.