CVE-2024-50059

In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev function, then &sndev->check_link_status_work is bound with check_link_status_work. switchtec_ntb_link_notification may be called to start the work. If we remove the module which will call switchtec_ntb_remove to make cleanup, it will free sndev through kfree(sndev), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | check_link_status_work switchtec_ntb_remove | kfree(sndev); | | if (sndev->link_force_down) | // use sndev Fix it by ensuring that the work is canceled before proceeding with the cleanup in switchtec_ntb_remove.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

08 Nov 2024, 16:15

Type Values Removed Values Added
References
  • () https://git.kernel.org/stable/c/5126d8f5567f49b52e21fca320eaa97977055099 -

24 Oct 2024, 03:55

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.0
CWE CWE-416
First Time Linux linux Kernel
Linux
References () https://git.kernel.org/stable/c/177925d9c8715a897bb79eca62628862213ba956 - () https://git.kernel.org/stable/c/177925d9c8715a897bb79eca62628862213ba956 - Patch
References () https://git.kernel.org/stable/c/3ae45be8492460a35b5aebf6acac1f1d32708946 - () https://git.kernel.org/stable/c/3ae45be8492460a35b5aebf6acac1f1d32708946 - Patch
References () https://git.kernel.org/stable/c/92728fceefdaa2a0a3aae675f86193b006eeaa43 - () https://git.kernel.org/stable/c/92728fceefdaa2a0a3aae675f86193b006eeaa43 - Patch
References () https://git.kernel.org/stable/c/b650189687822b705711f0567a65a164a314d8df - () https://git.kernel.org/stable/c/b650189687822b705711f0567a65a164a314d8df - Patch
References () https://git.kernel.org/stable/c/e51aded92d42784313ba16c12f4f88cc4f973bbb - () https://git.kernel.org/stable/c/e51aded92d42784313ba16c12f4f88cc4f973bbb - Patch
References () https://git.kernel.org/stable/c/fa840ba4bd9f3bad7f104e5b32028ee73af8b3dd - () https://git.kernel.org/stable/c/fa840ba4bd9f3bad7f104e5b32028ee73af8b3dd - Patch

23 Oct 2024, 15:12

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ntb: ntb_hw_switchtec: Se corrige la vulnerabilidad de use after free en switchtec_ntb_remove debido a la condición de ejecución En la función switchtec_ntb_add, puede llamar a la función switchtec_ntb_init_sndev, luego &sndev->check_link_status_work se vincula con check_link_status_work. Se puede llamar a switchtec_ntb_link_notification para iniciar el trabajo. Si eliminamos el módulo que llamará a switchtec_ntb_remove para realizar la limpieza, liberará sndev a través de kfree(sndev), mientras que se utilizará el trabajo mencionado anteriormente. La secuencia de operaciones que puede llevar a un error de UAF es la siguiente: CPU0 CPU1 | check_link_status_work switchtec_ntb_remove | kfree(sndev); | | if (sndev->link_force_down) | // use sndev Arréglelo asegurándose de que el trabajo se cancele antes de continuar con la limpieza en switchtec_ntb_remove.

21 Oct 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-21 20:15

Updated : 2024-11-08 16:15


NVD link : CVE-2024-50059

Mitre link : CVE-2024-50059

CVE.ORG link : CVE-2024-50059


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free