CVE-2024-53139
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
04/12/2024
Last modified:
11/12/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
sctp: fix possible UAF in sctp_v6_available()<br />
<br />
A lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints<br />
that sctp_v6_available() is calling dev_get_by_index_rcu()<br />
and ipv6_chk_addr() without holding rcu.<br />
<br />
[1]<br />
=============================<br />
WARNING: suspicious RCU usage<br />
6.12.0-rc5-virtme #1216 Tainted: G W<br />
-----------------------------<br />
net/core/dev.c:876 RCU-list traversed in non-reader section!!<br />
<br />
other info that might help us debug this:<br />
<br />
rcu_scheduler_active = 2, debug_locks = 1<br />
1 lock held by sctp_hello/31495:<br />
#0: ffff9f1ebbdb7418 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_bind (./arch/x86/include/asm/jump_label.h:27 net/sctp/socket.c:315) sctp<br />
<br />
stack backtrace:<br />
CPU: 7 UID: 0 PID: 31495 Comm: sctp_hello Tainted: G W 6.12.0-rc5-virtme #1216<br />
Tainted: [W]=WARN<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br />
Call Trace:<br />
<br />
dump_stack_lvl (lib/dump_stack.c:123)<br />
lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822)<br />
dev_get_by_index_rcu (net/core/dev.c:876 (discriminator 7))<br />
sctp_v6_available (net/sctp/ipv6.c:701) sctp<br />
sctp_do_bind (net/sctp/socket.c:400 (discriminator 1)) sctp<br />
sctp_bind (net/sctp/socket.c:320) sctp<br />
inet6_bind_sk (net/ipv6/af_inet6.c:465)<br />
? security_socket_bind (security/security.c:4581 (discriminator 1))<br />
__sys_bind (net/socket.c:1848 net/socket.c:1869)<br />
? do_user_addr_fault (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 ./include/linux/mm.h:729 arch/x86/mm/fault.c:1340)<br />
? do_user_addr_fault (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:98 (discriminator 13) ./include/linux/rcupdate.h:882 (discriminator 13) ./include/linux/mm.h:729 (discriminator 13) arch/x86/mm/fault.c:1340 (discriminator 13))<br />
__x64_sys_bind (net/socket.c:1877 (discriminator 1) net/socket.c:1875 (discriminator 1) net/socket.c:1875 (discriminator 1))<br />
do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))<br />
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br />
RIP: 0033:0x7f59b934a1e7<br />
Code: 44 00 00 48 8b 15 39 8c 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 31 00 00 00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 8c 0c 00 f7 d8 64 89 01 48<br />
All code<br />
========<br />
0: 44 00 00 add %r8b,(%rax)<br />
3: 48 8b 15 39 8c 0c 00 mov 0xc8c39(%rip),%rdx # 0xc8c43<br />
a: f7 d8 neg %eax<br />
c: 64 89 02 mov %eax,%fs:(%rdx)<br />
f: b8 ff ff ff ff mov $0xffffffff,%eax<br />
14: eb bd jmp 0xffffffffffffffd3<br />
16: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)<br />
1d: 00 00 00<br />
20: 0f 1f 00 nopl (%rax)<br />
23: b8 31 00 00 00 mov $0x31,%eax<br />
28: 0f 05 syscall<br />
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.63 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.11.10 (excluding) |
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page