CVE-2024-49982

In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in more places For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put() instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs into use-after-free. Then Nicolai Stange found more places in aoe have potential use-after-free problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe() and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push packet to tx queue. So they should also use dev_hold() to increase the refcnt of skb->dev. On the other hand, moving dev_put() to tx() causes that the refcnt of skb->dev be reduced to a negative value, because corresponding dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(), probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.19.311:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.4.273:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*

History

08 Nov 2024, 16:15

Type Values Removed Values Added
References
  • () https://git.kernel.org/stable/c/12f7b89dd72b25da4eeaa22097877963cad6418e -
  • () https://git.kernel.org/stable/c/a786265aecf39015418e4f930cc1c14603a01490 -

25 Oct 2024, 15:08

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
First Time Linux linux Kernel
Linux
References () https://git.kernel.org/stable/c/07b418d50ccbbca7e5d87a3a0d41d436cefebf79 - () https://git.kernel.org/stable/c/07b418d50ccbbca7e5d87a3a0d41d436cefebf79 - Patch
References () https://git.kernel.org/stable/c/6d6e54fc71ad1ab0a87047fd9c211e75d86084a3 - () https://git.kernel.org/stable/c/6d6e54fc71ad1ab0a87047fd9c211e75d86084a3 - Patch
References () https://git.kernel.org/stable/c/8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58 - () https://git.kernel.org/stable/c/8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58 - Patch
References () https://git.kernel.org/stable/c/89d9a69ae0c667e4d9d028028e2dcc837bae626f - () https://git.kernel.org/stable/c/89d9a69ae0c667e4d9d028028e2dcc837bae626f - Patch
References () https://git.kernel.org/stable/c/acc5103a0a8c200a52af7d732c36a8477436a3d3 - () https://git.kernel.org/stable/c/acc5103a0a8c200a52af7d732c36a8477436a3d3 - Patch
References () https://git.kernel.org/stable/c/bc2cbf7525ac288e07d465f5a1d8cb8fb9599254 - () https://git.kernel.org/stable/c/bc2cbf7525ac288e07d465f5a1d8cb8fb9599254 - Patch
References () https://git.kernel.org/stable/c/f63461af2c1a86af4217910e47a5c46e3372e645 - () https://git.kernel.org/stable/c/f63461af2c1a86af4217910e47a5c46e3372e645 - Patch
CWE CWE-416
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.4.273:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.19.311:*:*:*:*:*:*:*

23 Oct 2024, 15:13

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: aoe: soluciona el posible problema de use-after-free en más lugares Para solucionar CVE-2023-6270, f98364e92662 ("aoe: soluciona el posible problema de use-after-free en aoecmd_cfg_pkts") hace que tx() llame a dev_put() en lugar de hacerlo en aoecmd_cfg_pkts(). Esto evita que tx() se ejecute en use-after-free. Luego, Nicolai Stange encontró que más lugares en aoe tienen un posible problema de use-after-free con tx(). Por ejemplo, revalidate(), aoecmd_ata_rw(), resend(), probe() y aoecmd_cfg_rsp(). Esas funciones también usan aoenet_xmit() para enviar paquetes a la cola de tx. Por lo tanto, también deberían usar dev_hold() para aumentar el refcnt de skb->dev. Por otra parte, mover dev_put() a tx() hace que el refcnt de skb->dev se reduzca a un valor negativo, porque los dev_hold() correspondientes no se llaman en revalidate(), aoecmd_ata_rw(), resend(), probe() y aoecmd_cfg_rsp(). Este parche solucionó este problema.

21 Oct 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-21 18:15

Updated : 2024-11-08 16:15


NVD link : CVE-2024-49982

Mitre link : CVE-2024-49982

CVE.ORG link : CVE-2024-49982


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free