CVE-2024-39503
Severity CVSS v4.0:
Pending analysis
Type:
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
12/07/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type<br />
<br />
Lion Ackermann reported that there is a race condition between namespace cleanup<br />
in ipset and the garbage collection of the list:set type. The namespace<br />
cleanup can destroy the list:set type of sets while the gc of the set type is<br />
waiting to run in rcu cleanup. The latter uses data from the destroyed set which<br />
thus leads use after free. The patch contains the following parts:<br />
<br />
- When destroying all sets, first remove the garbage collectors, then wait<br />
if needed and then destroy the sets.<br />
- Fix the badly ordered "wait then remove gc" for the destroy a single set<br />
case.<br />
- Fix the missing rcu locking in the list:set type in the userspace test<br />
case.<br />
- Use proper RCU list handlings in the list:set type.<br />
<br />
The patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).
Impact
Base Score 3.x
7.00
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.269 (including) | 5.4.279 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.210 (including) | 5.10.221 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.149 (including) | 5.15.162 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.79 (including) | 6.1.95 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6.18 (including) | 6.6.35 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7.6 (including) | 6.8 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.8.1 (including) | 6.9.6 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.8:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc7:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0f1bb77c6d837c9513943bc7c08f04c5cc5c6568
- https://git.kernel.org/stable/c/2ba35b37f780c6410bb4bba9c3072596d8576702
- https://git.kernel.org/stable/c/390b353d1a1da3e9c6c0fd14fe650d69063c95d6
- https://git.kernel.org/stable/c/4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10
- https://git.kernel.org/stable/c/90ae20d47de602198eb69e6cd7a3db3420abfc08
- https://git.kernel.org/stable/c/93b53c202b51a69e42ca57f5a183f7e008e19f83
- https://git.kernel.org/stable/c/c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3
- https://git.kernel.org/stable/c/0f1bb77c6d837c9513943bc7c08f04c5cc5c6568
- https://git.kernel.org/stable/c/2ba35b37f780c6410bb4bba9c3072596d8576702
- https://git.kernel.org/stable/c/390b353d1a1da3e9c6c0fd14fe650d69063c95d6
- https://git.kernel.org/stable/c/4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10
- https://git.kernel.org/stable/c/90ae20d47de602198eb69e6cd7a3db3420abfc08
- https://git.kernel.org/stable/c/93b53c202b51a69e42ca57f5a183f7e008e19f83
- https://git.kernel.org/stable/c/c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html