CVE-2024-50257

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: Fix use-after-free in get_info()<br /> <br /> ip6table_nat module unload has refcnt warning for UAF. call trace is:<br /> <br /> WARNING: CPU: 1 PID: 379 at kernel/module/main.c:853 module_put+0x6f/0x80<br /> Modules linked in: ip6table_nat(-)<br /> CPU: 1 UID: 0 PID: 379 Comm: ip6tables Not tainted 6.12.0-rc4-00047-gc2ee9f594da8-dirty #205<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),<br /> BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:module_put+0x6f/0x80<br /> Call Trace:<br /> <br /> get_info+0x128/0x180<br /> do_ip6t_get_ctl+0x6a/0x430<br /> nf_getsockopt+0x46/0x80<br /> ipv6_getsockopt+0xb9/0x100<br /> rawv6_getsockopt+0x42/0x190<br /> do_sock_getsockopt+0xaa/0x180<br /> __sys_getsockopt+0x70/0xc0<br /> __x64_sys_getsockopt+0x20/0x30<br /> do_syscall_64+0xa2/0x1a0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Concurrent execution of module unload and get_info() trigered the warning.<br /> The root cause is as follows:<br /> <br /> cpu0 cpu1<br /> module_exit<br /> //mod-&gt;state = MODULE_STATE_GOING<br /> ip6table_nat_exit<br /> xt_unregister_template<br /> kfree(t)<br /> //removed from templ_list<br /> getinfo()<br /> t = xt_find_table_lock<br /> list_for_each_entry(tmpl, &amp;xt_templates[af]...)<br /> if (strcmp(tmpl-&gt;name, name))<br /> continue; //table not found<br /> try_module_get<br /> list_for_each_entry(t, &amp;xt_net-&gt;tables[af]...)<br /> return t; //not get refcnt<br /> module_put(t-&gt;me) //uaf<br /> unregister_pernet_subsys<br /> //remove table from xt_net list<br /> <br /> While xt_table module was going away and has been removed from<br /> xt_templates list, we couldnt get refcnt of xt_table-&gt;me. Check<br /> module in xt_net-&gt;tables list re-traversal to fix it.