CVE-2024-44934

In the Linux kernel, the following vulnerability has been resolved: net: bridge: mcast: wait for previous gc cycles when removing port syzbot hit a use-after-free[1] which is caused because the bridge doesn't make sure that all previous garbage has been collected when removing a port. What happens is: CPU 1 CPU 2 start gc cycle remove port acquire gc lock first wait for lock call br_multicasg_gc() directly acquire lock now but free port the port can be freed while grp timers still running Make sure all previous gc cycles have finished by using flush_work before freeing the port. [1] BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699 CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1843 [inline] __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417 __run_timer_base kernel/time/timer.c:2428 [inline] __run_timer_base kernel/time/timer.c:2421 [inline] run_timer_base+0x111/0x190 kernel/time/timer.c:2437
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*

History

27 Aug 2024, 16:07

Type Values Removed Values Added
First Time Linux linux Kernel
Linux
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: bridge: mcast: espere los ciclos de gc anteriores al eliminar el puerto syzbot alcanzó un use-after-free [1] que se debe a que el puente no se asegura de que todos Se ha recogido basura anterior al eliminar un puerto. Lo que sucede es: CPU 1 CPU 2 iniciar el ciclo de gc eliminar el puerto adquirir el bloqueo de gc primero esperar la llamada de bloqueo br_multicasg_gc() adquirir directamente el bloqueo ahora pero liberar el puerto el puerto se puede liberar mientras los temporizadores de grp aún se ejecutan Asegúrese de que todos los ciclos de gc anteriores hayan finalizado usando flush_work antes de liberar el puerto. [1] ERROR: KASAN: slab-use-after-free en br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 Lectura de tamaño 8 en la dirección ffff888071d6d000 por tarea syz.5.1232/9699 CPU: 1 PID: 9699 Comm : syz.5.1232 No contaminado 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/06/2024 Seguimiento de llamadas: __dump_stack lib/dump_stack.c :88 [en línea] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [en línea] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm /kasan/report.c:601 br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1843 [en línea] __run_timers +0x74b/0xaf0 kernel/time/timer.c:2417 __run_timer_base kernel/time/timer.c:2428 [en línea] __run_timer_base kernel/time/timer.c:2421 [en línea] run_timer_base+0x111/0x190 kernel/time/timer. c:2437
CWE CWE-416
References () https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f - () https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f - Patch
References () https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f - () https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f - Patch
References () https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078 - () https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078 - Patch
References () https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658 - () https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658 - Patch
References () https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce - () https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce - Patch

26 Aug 2024, 11:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-26 11:15

Updated : 2024-08-27 16:07


NVD link : CVE-2024-44934

Mitre link : CVE-2024-44934

CVE.ORG link : CVE-2024-44934


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free