CVE-2024-53140

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/12/2024
Last modified:
14/12/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netlink: terminate outstanding dump on socket close<br /> <br /> Netlink supports iterative dumping of data. It provides the families<br /> the following ops:<br /> - start - (optional) kicks off the dumping process<br /> - dump - actual dump helper, keeps getting called until it returns 0<br /> - done - (optional) pairs with .start, can be used for cleanup<br /> The whole process is asynchronous and the repeated calls to .dump<br /> don&amp;#39;t actually happen in a tight loop, but rather are triggered<br /> in response to recvmsg() on the socket.<br /> <br /> This gives the user full control over the dump, but also means that<br /> the user can close the socket without getting to the end of the dump.<br /> To make sure .start is always paired with .done we check if there<br /> is an ongoing dump before freeing the socket, and if so call .done.<br /> <br /> The complication is that sockets can get freed from BH and .done<br /> is allowed to sleep. So we use a workqueue to defer the call, when<br /> needed.<br /> <br /> Unfortunately this does not work correctly. What we defer is not<br /> the cleanup but rather releasing a reference on the socket.<br /> We have no guarantee that we own the last reference, if someone<br /> else holds the socket they may release it in BH and we&amp;#39;re back<br /> to square one.<br /> <br /> The whole dance, however, appears to be unnecessary. Only the user<br /> can interact with dumps, so we can clean up when socket is closed.<br /> And close always happens in process context. Some async code may<br /> still access the socket after close, queue notification skbs to it etc.<br /> but no dumps can start, end or otherwise make progress.<br /> <br /> Delete the workqueue and flush the dump state directly from the release<br /> handler. Note that further cleanup is possible in -next, for instance<br /> we now always call .done before releasing the main module reference,<br /> so dump doesn&amp;#39;t have to take a reference of its own.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.4.38 (including) 4.5 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.8.14 (including) 4.9 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.9 (including) 6.1.119 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.63 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.11.10 (excluding)