CVE-2024-53140
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/12/2024
Last modified:
14/12/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
netlink: terminate outstanding dump on socket close<br />
<br />
Netlink supports iterative dumping of data. It provides the families<br />
the following ops:<br />
- start - (optional) kicks off the dumping process<br />
- dump - actual dump helper, keeps getting called until it returns 0<br />
- done - (optional) pairs with .start, can be used for cleanup<br />
The whole process is asynchronous and the repeated calls to .dump<br />
don&#39;t actually happen in a tight loop, but rather are triggered<br />
in response to recvmsg() on the socket.<br />
<br />
This gives the user full control over the dump, but also means that<br />
the user can close the socket without getting to the end of the dump.<br />
To make sure .start is always paired with .done we check if there<br />
is an ongoing dump before freeing the socket, and if so call .done.<br />
<br />
The complication is that sockets can get freed from BH and .done<br />
is allowed to sleep. So we use a workqueue to defer the call, when<br />
needed.<br />
<br />
Unfortunately this does not work correctly. What we defer is not<br />
the cleanup but rather releasing a reference on the socket.<br />
We have no guarantee that we own the last reference, if someone<br />
else holds the socket they may release it in BH and we&#39;re back<br />
to square one.<br />
<br />
The whole dance, however, appears to be unnecessary. Only the user<br />
can interact with dumps, so we can clean up when socket is closed.<br />
And close always happens in process context. Some async code may<br />
still access the socket after close, queue notification skbs to it etc.<br />
but no dumps can start, end or otherwise make progress.<br />
<br />
Delete the workqueue and flush the dump state directly from the release<br />
handler. Note that further cleanup is possible in -next, for instance<br />
we now always call .done before releasing the main module reference,<br />
so dump doesn&#39;t have to take a reference of its own.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.4.38 (including) | 4.5 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.8.14 (including) | 4.9 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.9 (including) | 6.1.119 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.63 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.11.10 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/114a61d8d94ae3a43b82446cf737fd757021b834
- https://git.kernel.org/stable/c/176c41b3ca9281a9736b67c6121b03dbf0c8c08f
- https://git.kernel.org/stable/c/1904fb9ebf911441f90a68e96b22aa73e4410505
- https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258af52a98
- https://git.kernel.org/stable/c/598c956b62699c3753929602560d8df322e60559
- https://git.kernel.org/stable/c/6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4
- https://git.kernel.org/stable/c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca
- https://git.kernel.org/stable/c/d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603