CVE-2024-40958
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
12/07/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
netns: Make get_net_ns() handle zero refcount net<br />
<br />
Syzkaller hit a warning:<br />
refcount_t: addition on 0; use-after-free.<br />
WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0<br />
Modules linked in:<br />
CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br />
RIP: 0010:refcount_warn_saturate+0xdf/0x1d0<br />
Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1<br />
RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286<br />
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac<br />
RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001<br />
RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139<br />
R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4<br />
R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040<br />
FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
Call Trace:<br />
<br />
? show_regs+0xa3/0xc0<br />
? __warn+0xa5/0x1c0<br />
? refcount_warn_saturate+0xdf/0x1d0<br />
? report_bug+0x1fc/0x2d0<br />
? refcount_warn_saturate+0xdf/0x1d0<br />
? handle_bug+0xa1/0x110<br />
? exc_invalid_op+0x3c/0xb0<br />
? asm_exc_invalid_op+0x1f/0x30<br />
? __warn_printk+0xcc/0x140<br />
? __warn_printk+0xd5/0x140<br />
? refcount_warn_saturate+0xdf/0x1d0<br />
get_net_ns+0xa4/0xc0<br />
? __pfx_get_net_ns+0x10/0x10<br />
open_related_ns+0x5a/0x130<br />
__tun_chr_ioctl+0x1616/0x2370<br />
? __sanitizer_cov_trace_switch+0x58/0xa0<br />
? __sanitizer_cov_trace_const_cmp2+0x1c/0x30<br />
? __pfx_tun_chr_ioctl+0x10/0x10<br />
tun_chr_ioctl+0x2f/0x40<br />
__x64_sys_ioctl+0x11b/0x160<br />
x64_sys_call+0x1211/0x20d0<br />
do_syscall_64+0x9e/0x1d0<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
RIP: 0033:0x7f5b28f165d7<br />
Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8<br />
RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br />
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7<br />
RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003<br />
RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0<br />
R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730<br />
R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000<br />
<br />
Kernel panic - not syncing: kernel: panic_on_warn set ...<br />
<br />
This is trigger as below:<br />
ns0 ns1<br />
tun_set_iff() //dev is tun0<br />
tun->dev = dev<br />
//ip link set tun0 netns ns1<br />
put_net() //ref is 0<br />
__tun_chr_ioctl() //TUNGETDEVNETNS<br />
net = dev_net(tun->dev);<br />
open_related_ns(&net->ns, get_net_ns); //ns1<br />
get_net_ns()<br />
get_net() //addition on 0<br />
<br />
Use maybe_get_net() in get_net_ns in case net&#39;s ref is zero to fix this
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.2 (including) | 5.4.279 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.221 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.162 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.96 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.36 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.9.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef
- https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b
- https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55
- https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b
- https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940
- https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876
- https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0
- https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef
- https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b
- https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55
- https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b
- https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940
- https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876
- https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html