"value":"In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\n\nBrad Spengler reported the list_del() corruption splat in\ngtp_net_exit_batch_rtnl(). [0]\n\nCommit eb28fd76c0a0 (\"gtp: Destroy device along with udp socket's netns\ndismantle.\") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()\nto destroy devices in each netns as done in geneve and ip tunnels.\n\nHowever, this could trigger ->dellink() twice for the same device during\n->exit_batch_rtnl().\n\nSay we have two netns A & B and gtp device B that resides in netns B but\nwhose UDP socket is in netns A.\n\n 1. cleanup_net() processes netns A and then B.\n\n 2. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns A's gn->gtp_dev_list and calls ->dellink().\n\n [ device B is not yet unlinked from netns B\n as unregister_netdevice_many() has not been called. ]\n\n 3. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns B's for_each_netdev() and calls ->dellink().\n\ngtp_dellink() cleans up the device's hash table, unlinks the dev from\ngn->gtp_dev_list, and calls unregister_netdevice_queue().\n\nBasically, calling gtp_dellink() multiple times is fine unless\nCONFIG_DEBUG_LIST is enabled.\n\nLet's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and\ndelegate the destruction to default_device_exit_batch() as done\nin bareudp.\n\n[0]:\nlist_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)\nkernel BUG at lib/list_debug.c:58!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: netns cleanup_net\nRIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nCode: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60\nRSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283\nRAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054\nRDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000\nRBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32\nR10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4\nR13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08\nRBX: kasan shadow of 0x0\nRCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554\nRDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nRSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71\nRBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]\nRSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]\nR09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]\nR10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]\nR15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]\nFS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0\nStack:\n 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00\n ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005\n 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d\nCall Trace:\n <TASK>\n [<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28\n [<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28\n [<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inl\n---truncated---"
"value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: gtp: Supresi\u00f3n de la corrupci\u00f3n de listas en gtp_net_exit_batch_rtnl(). Brad Spengler report\u00f3 la corrupci\u00f3n de list_del() en gtp_net_exit_batch_rtnl(). [0] El commit eb28fd76c0a0 (\"gtp: Destruir dispositivo junto con el desmantelamiento de netns del socket UDP\")a\u00f1adi\u00f3elbuclefor_each_netdev()engtp_net_exit_batch_rtnl()paradestruirdispositivosencadanetns,comosehaceenlost\u00fanelesgeneveeIP.Sinembargo,estopodr\u00edaactivar->dellink()dosvecesparaelmismodispositivodurante->exit_batch_rtnl().DigamosquetenemosdosnetnsAyByundispositivogtpBqueresideennetnsBperocuyosocketUDPest\u00e1ennetnsA.1.cleanup_net()procesanetnsAyluegoB.2.gtp_net_exit_batch_rtnl()encuentraeldispositivoBmientrasiteragn->gtp_dev_listdenetnsAyllamaa->dellink().[eldispositivoBa\u00fannoest\u00e1desvinculadodenetnsByaquenosehallamadoaunregister_netdevice_many().]3.gtp_net_exit_batch_rtnl()encuentraeldispositivoBmientrasiterafor_each_netdev()denetnsByllamaa->dellink().gtp_dellink()limpialatablahashdeldispositivo,desvinculaeldevdegn->gtp_dev_listyllamaaunregister_netdevice_queue().B\u00e1sicamente,llamaragtp_dellink()variasvecesnotieneproblemaamenosqueCONFIG_DEBUG_LISTest\u00e9habilitado.Eliminemosfor_each_netdev()engtp_net_exit_batch_rtnl()ydeleguemosladestrucci\u00f3nadefault_device_exit_batch()comosehaceenbareudp.[0]:corrupci\u00f3nenlist_del,ffff8880aaa62c00->next(autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000[slabobject])isLIST_POISON1(ffffffffffffff02)(previs0xffffffffffffff04)kernelBUGatlib/list_debug.c:58!Oops:invalidopcode:0000[#1]PREEMPTSMPKASANCPU:1UID:0PID:1804Comm:kworker/u8:7Tainted:GT6.12.13-grsec-full-20250211091339#1Tainted:[T]=RANDSTRUCTHardwarename:QEMUStandardPC(i440FX+PIIX,1996),BIOS1.15.0-104/01/2014Workqueue:netnscleanup_netRIP:0010:[]__list_del_entry_valid_or_report+0x141/0x200lib/list_debug.c:58Code:c2769131c0e89fb1f7fc0f0b4d89f048c7c102ffffff4889ea4889ee48c7c7e0c2769131c0e87fb1f7fc<0f>0b4d89e848c7c104ffffff4889ea4889ee48c7c760RSP:0018:fffffe8040b4fbd0EFLAGS:00010283RAX:00000000000000ccRBX:dffffc0000000000RCX:ffffffff818c4054RDX:ffffffff84947381RSI:ffffffff818d1512RDI:0000000000000000RBP:ffff8880aaa62c00R08:0000000000000001R09:fffffbd008169f32R10:fffffe8040b4f997R11:0000000000000001R12:a1988d84f24943e4R13:ffffffffffffff02R14:ffffffffffffff04R15:ffff8880aaa62c08RBX:kasanshadowof0x0RCX:__wake_up_klogd.part.0+0x74/0xe0kernel/printk/printk.c:4554RDX:__list_del_entry_valid_or_report+0x141/0x200lib/list_debug.c:58RSI:vprintk+0x72/0x100kernel/printk/printk_safe.c:71RBP:autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000[slabobject]RSP:processkstackfffffe8040b4fbd0+0x7bd0/0x8000[kworker/u8:7+netns1804]R09:kasanshadowofprocesskstackfffffe8040b4f990+0x7990/0x8000[kworker/u8:7+netns1804]R10:processkstackfffffe8040b4f997+0x7997/0x8000[kworker/u8:7+netns1804]R15:autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000[slabobject]FS:0000000000000000(0000)GS:ffff888116000000(0000)knlGS:0000000000000000CS:0010DS:0000ES:0000CR0:0000000080050033CR2:0000748f5372c000CR3:0000000015408000CR4:00000000003406f0shadowCR4:00000000003406f0Stack:0000000000000000ffffffff8a0c35e7ffffffff8a0c3603ffff8880aaa62c00ffff8880aaa62c000000000000000004ffff88811145311c00000000000000050000000000000001ffff8880aaa62000fffffe8040b4fd40ffffffff8a0c360dCallTrace:[]__list_del_entry_validinclude/linux/list.h:131[inline]fffffe8040b4fc28[]__list_del_entryinclude/linux/list.h:248[inline]fffffe8040b4fc28[]list_delinclude/linux/list.h:262[inl---truncad
