CVE-2024-50130

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
05/11/2024
Last modified:
07/11/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: bpf: must hold reference on net namespace<br /> <br /> BUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0<br /> Read of size 8 at addr ffff8880106fe400 by task repro/72=<br /> bpf_nf_link_release+0xda/0x1e0<br /> bpf_link_free+0x139/0x2d0<br /> bpf_link_release+0x68/0x80<br /> __fput+0x414/0xb60<br /> <br /> Eric says:<br /> It seems that bpf was able to defer the __nf_unregister_net_hook()<br /> after exit()/close() time.<br /> Perhaps a netns reference is missing, because the netns has been<br /> dismantled/freed already.<br /> bpf_nf_link_attach() does :<br /> link-&gt;net = net;<br /> But I do not see a reference being taken on net.<br /> <br /> Add such a reference and release it after hook unreg.<br /> Note that I was unable to get syzbot reproducer to work, so I<br /> do not know if this resolves this splat.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.4 (including) 6.6.59 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.11.6 (excluding)
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*