CVE-2024-50130
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
05/11/2024
Last modified:
07/11/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
netfilter: bpf: must hold reference on net namespace<br />
<br />
BUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0<br />
Read of size 8 at addr ffff8880106fe400 by task repro/72=<br />
bpf_nf_link_release+0xda/0x1e0<br />
bpf_link_free+0x139/0x2d0<br />
bpf_link_release+0x68/0x80<br />
__fput+0x414/0xb60<br />
<br />
Eric says:<br />
It seems that bpf was able to defer the __nf_unregister_net_hook()<br />
after exit()/close() time.<br />
Perhaps a netns reference is missing, because the netns has been<br />
dismantled/freed already.<br />
bpf_nf_link_attach() does :<br />
link->net = net;<br />
But I do not see a reference being taken on net.<br />
<br />
Add such a reference and release it after hook unreg.<br />
Note that I was unable to get syzbot reproducer to work, so I<br />
do not know if this resolves this splat.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.4 (including) | 6.6.59 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.11.6 (excluding) |
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page