CVE-2024-50186

{"id": "CVE-2024-50186", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-11-08T06:15:15.700", "references": [{"url": "https://git.kernel.org/stable/c/563e6892e21d6ecabdf62103fc4e7b326d212334", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/631083143315d1b192bd7d915b967b37819e88ea", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8e1b72fd74bf9da3b099d09857f4e7f114f38e12", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b7d22a79ff4e962b8af5ffe623abd1d6c179eb9f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/daf462ff3cde6ecf22b98d9ae770232c10d28de2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: explicitly clear the sk pointer, when pf->create fails\n\nWe have recently noticed the exact same KASAN splat as in commit\n6cd4a78d962b (\"net: do not leave a dangling sk pointer, when socket\ncreation fails\"). The problem is that commit did not fully address the\nproblem, as some pf->create implementations do not use sk_common_release\nin their error paths.\n\nFor example, we can use the same reproducer as in the above commit, but\nchanging ping to arping. arping uses AF_PACKET socket and if packet_create\nfails, it will just sk_free the allocated sk object.\n\nWhile we could chase all the pf->create implementations and make sure they\nNULL the freed sk object on error from the socket, we can't guarantee\nfuture protocols will not make the same mistake.\n\nSo it is easier to just explicitly NULL the sk pointer upon return from\npf->create in __sock_create. We do know that pf->create always releases the\nallocated sk object on error, so if the pointer is not NULL, it is\ndefinitely dangling."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: borrar expl\u00edcitamente el puntero sk, cuando pf->create falla Recientemente hemos notado exactamente el mismo splat de KASAN que en el commit 6cd4a78d962b (\"net: no deje un puntero sk colgando, cuando falla la creaci\u00f3n del socket\"). El problema es que el commit no solucion\u00f3 completamente el problema, ya que algunas implementaciones de pf->create no usan sk_common_release en sus rutas de error. Por ejemplo, podemos usar el mismo reproductor que en el commit anterior, pero cambiando ping a arping. arping usa el socket AF_PACKET y si packet_create falla, solo sk_free el objeto sk asignado. Si bien podr\u00edamos perseguir todas las implementaciones de pf->create y asegurarnos de que anulen el objeto sk liberado en caso de error del socket, no podemos garantizar que los protocolos futuros no cometan el mismo error. Por lo tanto, es m\u00e1s f\u00e1cil simplemente convertir expl\u00edcitamente en NULL el puntero sk al regresar de pf->create en __sock_create. Sabemos que pf->create siempre libera el objeto sk asignado en caso de error, por lo que si el puntero no es NULL, definitivamente est\u00e1 colgado."}], "lastModified": "2024-12-09T23:23:23.217", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99F757B5-48A7-4EB4-AA02-72DAFF9A9814", "versionEndExcluding": "5.15.168", "versionStartIncluding": "5.15.162"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A2FE2CA-C4B3-41E4-8DBD-D5F345CA4FCC", "versionEndExcluding": "6.1.113", "versionStartIncluding": "6.1.96"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BFB468C3-C495-4723-B812-04ABE9D6A1F4", "versionEndExcluding": "6.6.57", "versionStartIncluding": "6.6.36"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA5E7970-A460-40EE-9BDE-6FFF21149DDA", "versionEndExcluding": "6.10", "versionStartIncluding": "6.9.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2ADD5DBE-B520-479C-9FCD-6C8FA848E789", "versionEndExcluding": "6.11.4", "versionStartIncluding": "6.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}