CVE-2024-42108

In the Linux kernel, the following vulnerability has been resolved: net: rswitch: Avoid use-after-free in rswitch_poll() The use-after-free is actually in rswitch_tx_free(), which is inlined in rswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the same pointer, the skb is first freed using dev_kfree_skb_any(), then the value in skb->len is used to update the interface statistics. Let's move around the instructions to use skb->len before the skb is freed. This bug is trivial to reproduce using KFENCE. It will trigger a splat every few packets. A simple ARP request or ICMP echo request is enough.
Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

19 Dec 2024, 19:15

Type Values Removed Values Added
References
  • () https://git.kernel.org/stable/c/4a41bb9f2b402469d425a1c13359d3b3ea4e6403 -

21 Nov 2024, 09:33

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/92cbbe7759193e3418f38d0d73f8fe125312c58b - Patch () https://git.kernel.org/stable/c/92cbbe7759193e3418f38d0d73f8fe125312c58b - Patch
References () https://git.kernel.org/stable/c/9a0c28efeec6383ef22e97437616b920e7320b67 - Patch () https://git.kernel.org/stable/c/9a0c28efeec6383ef22e97437616b920e7320b67 - Patch

21 Aug 2024, 20:52

Type Values Removed Values Added
CWE CWE-416
First Time Linux linux Kernel
Linux
References () https://git.kernel.org/stable/c/92cbbe7759193e3418f38d0d73f8fe125312c58b - () https://git.kernel.org/stable/c/92cbbe7759193e3418f38d0d73f8fe125312c58b - Patch
References () https://git.kernel.org/stable/c/9a0c28efeec6383ef22e97437616b920e7320b67 - () https://git.kernel.org/stable/c/9a0c28efeec6383ef22e97437616b920e7320b67 - Patch
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8

30 Jul 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: rswitch: Evite el use after free en rswitch_poll() El use after free está en realidad en rswitch_tx_free(), que está incluido en rswitch_poll(). Dado que `skb` y `gq->skbs[gq->dirty]` son de hecho el mismo puntero, el skb primero se libera usando dev_kfree_skb_any(), luego el valor en skb->len se usa para actualizar las estadísticas de la interfaz. Avancemos por las instrucciones para usar skb->len antes de liberar el skb. Este error es trivial de reproducir usando KFENCE. Activará un sonido cada pocos paquetes. Una simple solicitud ARP o una solicitud de eco ICMP es suficiente.

30 Jul 2024, 08:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-30 08:15

Updated : 2024-12-19 19:15


NVD link : CVE-2024-42108

Mitre link : CVE-2024-42108

CVE.ORG link : CVE-2024-42108


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free