Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-56635

Severity CVSS v4.0:
Pending analysis
Type:
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
27/12/2024
Last modified:
10/02/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: avoid potential UAF in default_operstate()<br /> <br /> syzbot reported an UAF in default_operstate() [1]<br /> <br /> Issue is a race between device and netns dismantles.<br /> <br /> After calling __rtnl_unlock() from netdev_run_todo(),<br /> we can not assume the netns of each device is still alive.<br /> <br /> Make sure the device is not in NETREG_UNREGISTERED state,<br /> and add an ASSERT_RTNL() before the call to<br /> __dev_get_by_index().<br /> <br /> We might move this ASSERT_RTNL() in __dev_get_by_index()<br /> in the future.<br /> <br /> [1]<br /> <br /> BUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852<br /> Read of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339<br /> <br /> CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:489<br /> kasan_report+0x143/0x180 mm/kasan/report.c:602<br /> __dev_get_by_index+0x5d/0x110 net/core/dev.c:852<br /> default_operstate net/core/link_watch.c:51 [inline]<br /> rfc2863_policy+0x224/0x300 net/core/link_watch.c:67<br /> linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170<br /> netdev_run_todo+0x461/0x1000 net/core/dev.c:10894<br /> rtnl_unlock net/core/rtnetlink.c:152 [inline]<br /> rtnl_net_unlock include/linux/rtnetlink.h:133 [inline]<br /> rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520<br /> rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911<br /> netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]<br /> netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347<br /> netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg+0x221/0x270 net/socket.c:726<br /> ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583<br /> ___sys_sendmsg net/socket.c:2637 [inline]<br /> __sys_sendmsg+0x269/0x350 net/socket.c:2669<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f2a3cb80809<br /> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809<br /> RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008<br /> RBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8<br /> <br /> <br /> Allocated by task 5339:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314<br /> kmalloc_noprof include/linux/slab.h:901 [inline]<br /> kmalloc_array_noprof include/linux/slab.h:945 [inline]<br /> netdev_create_hash net/core/dev.c:11870 [inline]<br /> netdev_init+0x10c/0x250 net/core/dev.c:11890<br /> ops_init+0x31e/0x590 net/core/net_namespace.c:138<br /> setup_net+0x287/0x9e0 net/core/net_namespace.c:362<br /> copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500<br /> create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110<br /> unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228<br /> ksys_unshare+0x57d/0xa70 kernel/fork.c:3314<br /> __do_sys_unshare kernel/fork.c:3385 [inline]<br /> __se_sys_unshare kernel/fork.c:3383 [inline]<br /> __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x8<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.00 HIGH
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.00
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.66 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.5 (excluding)
cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools