CVE-2024-36979
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
19/06/2024
Last modified:
26/08/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: bridge: mst: fix vlan use-after-free<br />
<br />
syzbot reported a suspicious rcu usage[1] in bridge&#39;s mst code. While<br />
fixing it I noticed that nothing prevents a vlan to be freed while<br />
walking the list from the same path (br forward delay timer). Fix the rcu<br />
usage and also make sure we are not accessing freed memory by making<br />
br_mst_vlan_set_state use rcu read lock.<br />
<br />
[1]<br />
WARNING: suspicious RCU usage<br />
6.9.0-rc6-syzkaller #0 Not tainted<br />
-----------------------------<br />
net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!<br />
...<br />
stack backtrace:<br />
CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114<br />
lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712<br />
nbp_vlan_group net/bridge/br_private.h:1599 [inline]<br />
br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105<br />
br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47<br />
br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88<br />
call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793<br />
expire_timers kernel/time/timer.c:1844 [inline]<br />
__run_timers kernel/time/timer.c:2418 [inline]<br />
__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429<br />
run_timer_base kernel/time/timer.c:2438 [inline]<br />
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448<br />
__do_softirq+0x2c6/0x980 kernel/softirq.c:554<br />
invoke_softirq kernel/softirq.c:428 [inline]<br />
__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633<br />
irq_exit_rcu+0x9/0x30 kernel/softirq.c:645<br />
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]<br />
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043<br />
<br />
<br />
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702<br />
RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758<br />
Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25<br />
RSP: 0018:ffffc90013657100 EFLAGS: 00000206<br />
RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001<br />
RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60<br />
RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0<br />
R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28<br />
R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.18 (including) | 6.1.93 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.33 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.8.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.9 (including) | 6.9.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/3a7c1661ae1383364cd6092d851f5e5da64d476b
- https://git.kernel.org/stable/c/4488617e5e995a09abe4d81add5fb165674edb59
- https://git.kernel.org/stable/c/8ca9a750fc711911ef616ceb627d07357b04545e
- https://git.kernel.org/stable/c/a2b01e65d9ba8af2bb086d3b7288ca53a07249ac
- https://git.kernel.org/stable/c/e43dd2b1ec746e105b7db5f9ad6ef14685a615a4