CVE-2024-50257

In the Linux kernel, the following vulnerability has been resolved: netfilter: Fix use-after-free in get_info() ip6table_nat module unload has refcnt warning for UAF. call trace is: WARNING: CPU: 1 PID: 379 at kernel/module/main.c:853 module_put+0x6f/0x80 Modules linked in: ip6table_nat(-) CPU: 1 UID: 0 PID: 379 Comm: ip6tables Not tainted 6.12.0-rc4-00047-gc2ee9f594da8-dirty #205 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:module_put+0x6f/0x80 Call Trace: <TASK> get_info+0x128/0x180 do_ip6t_get_ctl+0x6a/0x430 nf_getsockopt+0x46/0x80 ipv6_getsockopt+0xb9/0x100 rawv6_getsockopt+0x42/0x190 do_sock_getsockopt+0xaa/0x180 __sys_getsockopt+0x70/0xc0 __x64_sys_getsockopt+0x20/0x30 do_syscall_64+0xa2/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Concurrent execution of module unload and get_info() trigered the warning. The root cause is as follows: cpu0 cpu1 module_exit //mod->state = MODULE_STATE_GOING ip6table_nat_exit xt_unregister_template kfree(t) //removed from templ_list getinfo() t = xt_find_table_lock list_for_each_entry(tmpl, &xt_templates[af]...) if (strcmp(tmpl->name, name)) continue; //table not found try_module_get list_for_each_entry(t, &xt_net->tables[af]...) return t; //not get refcnt module_put(t->me) //uaf unregister_pernet_subsys //remove table from xt_net list While xt_table module was going away and has been removed from xt_templates list, we couldnt get refcnt of xt_table->me. Check module in xt_net->tables list re-traversal to fix it.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*

History

14 Nov 2024, 18:11

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/6a1f088f9807f5166f58902d26246d0b88da03a8 - () https://git.kernel.org/stable/c/6a1f088f9807f5166f58902d26246d0b88da03a8 - Patch
References () https://git.kernel.org/stable/c/ba22ea01348384df19cc1fabc7964be6e7189749 - () https://git.kernel.org/stable/c/ba22ea01348384df19cc1fabc7964be6e7189749 - Patch
References () https://git.kernel.org/stable/c/bab3bb35c03b263c486833d50d50c081d9e9832b - () https://git.kernel.org/stable/c/bab3bb35c03b263c486833d50d50c081d9e9832b - Patch
References () https://git.kernel.org/stable/c/cb7c388b5967946f097afdb759b7c860305f2d96 - () https://git.kernel.org/stable/c/cb7c388b5967946f097afdb759b7c860305f2d96 - Patch
References () https://git.kernel.org/stable/c/f48d258f0ac540f00fa617dac496c4c18b5dc2fa - () https://git.kernel.org/stable/c/f48d258f0ac540f00fa617dac496c4c18b5dc2fa - Patch
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
CWE CWE-416
First Time Linux linux Kernel
Linux

12 Nov 2024, 13:56

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: Se corrige el problema use-after-free en la descarga del módulo ip6table_nat get_info() que tiene una advertencia refcnt para UAF. El seguimiento de llamadas es: ADVERTENCIA: CPU: 1 PID: 379 en kernel/module/main.c:853 module_put+0x6f/0x80 Módulos vinculados en: ip6table_nat(-) CPU: 1 UID: 0 PID: 379 Comm: ip6tables No contaminado 6.12.0-rc4-00047-gc2ee9f594da8-dirty #205 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:module_put+0x6f/0x80 Seguimiento de llamadas: get_info+0x128/0x180 La ejecución simultánea de la descarga del módulo y get_info() activó la advertencia. La causa raíz es la siguiente: cpu0 cpu1 module_exit //mod-&gt;state = MODULE_STATE_GOING ip6table_nat_exit xt_unregister_template kfree(t) //eliminado de la lista de plantillas getinfo() t = xt_find_table_lock list_for_each_entry(tmpl, &amp;xt_templates[af]...) if (strcmp(tmpl-&gt;name, name)) continue; //tabla no encontrada try_module_get list_for_each_entry(t, &amp;xt_net-&gt;tables[af]...) return t; //no obtener refcnt module_put(t-&gt;me) //uaf unregister_pernet_subsys //eliminar tabla de la lista xt_net Mientras el módulo xt_table desaparecía y se eliminaba de la lista xt_templates, no pudimos obtener refcnt de xt_table-&gt;me. Verifique el módulo en el recorrido de lista xt_net-&gt;tables para solucionarlo.

09 Nov 2024, 11:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-09 11:15

Updated : 2024-12-11 15:15


NVD link : CVE-2024-50257

Mitre link : CVE-2024-50257

CVE.ORG link : CVE-2024-50257


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free