CVE-2024-41040

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: Fix UAF when resolving a clash<br /> <br /> KASAN reports the following UAF:<br /> <br /> BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]<br /> Read of size 1 at addr ffff888c07603600 by task handler130/6469<br /> <br /> Call Trace:<br /> <br /> dump_stack_lvl+0x48/0x70<br /> print_address_description.constprop.0+0x33/0x3d0<br /> print_report+0xc0/0x2b0<br /> kasan_report+0xd0/0x120<br /> __asan_load1+0x6c/0x80<br /> tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]<br /> tcf_ct_act+0x886/0x1350 [act_ct]<br /> tcf_action_exec+0xf8/0x1f0<br /> fl_classify+0x355/0x360 [cls_flower]<br /> __tcf_classify+0x1fd/0x330<br /> tcf_classify+0x21c/0x3c0<br /> sch_handle_ingress.constprop.0+0x2c5/0x500<br /> __netif_receive_skb_core.constprop.0+0xb25/0x1510<br /> __netif_receive_skb_list_core+0x220/0x4c0<br /> netif_receive_skb_list_internal+0x446/0x620<br /> napi_complete_done+0x157/0x3d0<br /> gro_cell_poll+0xcf/0x100<br /> __napi_poll+0x65/0x310<br /> net_rx_action+0x30c/0x5c0<br /> __do_softirq+0x14f/0x491<br /> __irq_exit_rcu+0x82/0xc0<br /> irq_exit_rcu+0xe/0x20<br /> common_interrupt+0xa1/0xb0<br /> <br /> <br /> asm_common_interrupt+0x27/0x40<br /> <br /> Allocated by task 6469:<br /> kasan_save_stack+0x38/0x70<br /> kasan_set_track+0x25/0x40<br /> kasan_save_alloc_info+0x1e/0x40<br /> __kasan_krealloc+0x133/0x190<br /> krealloc+0xaa/0x130<br /> nf_ct_ext_add+0xed/0x230 [nf_conntrack]<br /> tcf_ct_act+0x1095/0x1350 [act_ct]<br /> tcf_action_exec+0xf8/0x1f0<br /> fl_classify+0x355/0x360 [cls_flower]<br /> __tcf_classify+0x1fd/0x330<br /> tcf_classify+0x21c/0x3c0<br /> sch_handle_ingress.constprop.0+0x2c5/0x500<br /> __netif_receive_skb_core.constprop.0+0xb25/0x1510<br /> __netif_receive_skb_list_core+0x220/0x4c0<br /> netif_receive_skb_list_internal+0x446/0x620<br /> napi_complete_done+0x157/0x3d0<br /> gro_cell_poll+0xcf/0x100<br /> __napi_poll+0x65/0x310<br /> net_rx_action+0x30c/0x5c0<br /> __do_softirq+0x14f/0x491<br /> <br /> Freed by task 6469:<br /> kasan_save_stack+0x38/0x70<br /> kasan_set_track+0x25/0x40<br /> kasan_save_free_info+0x2b/0x60<br /> ____kasan_slab_free+0x180/0x1f0<br /> __kasan_slab_free+0x12/0x30<br /> slab_free_freelist_hook+0xd2/0x1a0<br /> __kmem_cache_free+0x1a2/0x2f0<br /> kfree+0x78/0x120<br /> nf_conntrack_free+0x74/0x130 [nf_conntrack]<br /> nf_ct_destroy+0xb2/0x140 [nf_conntrack]<br /> __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]<br /> nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]<br /> __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]<br /> tcf_ct_act+0x12ad/0x1350 [act_ct]<br /> tcf_action_exec+0xf8/0x1f0<br /> fl_classify+0x355/0x360 [cls_flower]<br /> __tcf_classify+0x1fd/0x330<br /> tcf_classify+0x21c/0x3c0<br /> sch_handle_ingress.constprop.0+0x2c5/0x500<br /> __netif_receive_skb_core.constprop.0+0xb25/0x1510<br /> __netif_receive_skb_list_core+0x220/0x4c0<br /> netif_receive_skb_list_internal+0x446/0x620<br /> napi_complete_done+0x157/0x3d0<br /> gro_cell_poll+0xcf/0x100<br /> __napi_poll+0x65/0x310<br /> net_rx_action+0x30c/0x5c0<br /> __do_softirq+0x14f/0x491<br /> <br /> The ct may be dropped if a clash has been resolved but is still passed to<br /> the tcf_ct_flow_table_process_conn function for further usage. This issue<br /> can be fixed by retrieving ct from skb again after confirming conntrack.