2.5 KiB
CVE-2024-49982
Description
In the Linux kernel, the following vulnerability has been resolved:aoe: fix the potential use-after-free problem in more placesFor fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potentialuse-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put()instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runsinto use-after-free.Then Nicolai Stange found more places in aoe have potential use-after-freeproblem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe()and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to pushpacket to tx queue. So they should also use dev_hold() to increase therefcnt of skb->dev.On the other hand, moving dev_put() to tx() causes that the refcnt ofskb->dev be reduced to a negative value, because correspondingdev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(),probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.
POC
Reference
No PoCs from references.