7

CVE-2024-50036

net: do not delay dst_entries_add() in dst_release()

In the Linux kernel, the following vulnerability has been resolved:

net: do not delay dst_entries_add() in dst_release()

dst_entries_add() uses per-cpu data that might be freed at netns
dismantle from ip6_route_net_exit() calling dst_entries_destroy()

Before ip6_route_net_exit() can be called, we release all
the dsts associated with this netns, via calls to dst_release(),
which waits an rcu grace period before calling dst_destroy()

dst_entries_add() use in dst_destroy() is racy, because
dst_entries_destroy() could have been called already.

Decrementing the number of dsts must happen sooner.

Notes:

1) in CONFIG_XFRM case, dst_destroy() can call
   dst_release_immediate(child), this might also cause UAF
   if the child does not have DST_NOCOUNT set.
   IPSEC maintainers might take a look and see how to address this.

2) There is also discussion about removing this count of dst,
   which might happen in future kernels.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 3.10.50 < 3.11
LinuxLinux Kernel Version >= 3.12.26 < 3.13
LinuxLinux Kernel Version >= 3.14.14 < 3.15
LinuxLinux Kernel Version >= 3.15.7 < 3.16
LinuxLinux Kernel Version >= 3.16 < 6.6.57
LinuxLinux Kernel Version >= 6.7 < 6.11.4
LinuxLinux Kernel Version6.12 Updaterc1
LinuxLinux Kernel Version6.12 Updaterc2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.148
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7 1 5.9
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc
Patch
https://git.kernel.org/stable/c/547087307bc19417b4f2bc85ba9664a3e8db5a6a
https://git.kernel.org/stable/c/a60db84f772fc3a906c6c4072f9207579c41166f
https://git.kernel.org/stable/c/ac888d58869bb99753e7652be19a151df9ecb35d
Patch
https://git.kernel.org/stable/c/e3915f028b1f1c37e87542e5aadd33728c259d96
https://git.kernel.org/stable/c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd
Patch
https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html