{ "id": "CVE-2024-53119", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-12-02T14:15:12.667", "lastModified": "2024-12-19T19:15:07.407", "vulnStatus": "Modified", "cveTags": [], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio/vsock: Fix accept_queue memory leak\n\nAs the final stages of socket destruction may be delayed, it is possible\nthat virtio_transport_recv_listen() will be called after the accept_queue\nhas been flushed, but before the SOCK_DONE flag has been set. As a result,\nsockets enqueued after the flush would remain unremoved, leading to a\nmemory leak.\n\nvsock_release\n __vsock_release\n lock\n virtio_transport_release\n virtio_transport_close\n schedule_delayed_work(close_work)\n sk_shutdown = SHUTDOWN_MASK\n(!) flush accept_queue\n release\n virtio_transport_recv_pkt\n vsock_find_bound_socket\n lock\n if flag(SOCK_DONE) return\n virtio_transport_recv_listen\n child = vsock_create_connected\n (!) vsock_enqueue_accept(child)\n release\nclose_work\n lock\n virtio_transport_do_close\n set_flag(SOCK_DONE)\n virtio_transport_remove_sock\n vsock_remove_sock\n vsock_remove_bound\n release\n\nIntroduce a sk_shutdown check to disallow vsock_enqueue_accept() during\nsocket destruction.\n\nunreferenced object 0xffff888109e3f800 (size 2040):\n comm \"kworker/5:2\", pid 371, jiffies 4294940105\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............\n backtrace (crc 9e5f4e84):\n [] kmem_cache_alloc_noprof+0x2c1/0x360\n [] sk_prot_alloc+0x30/0x120\n [] sk_alloc+0x2c/0x4b0\n [] __vsock_create.constprop.0+0x2a/0x310\n [] virtio_transport_recv_pkt+0x4dc/0x9a0\n [] vsock_loopback_work+0xfd/0x140\n [] process_one_work+0x20c/0x570\n [] worker_thread+0x1bf/0x3a0\n [] kthread+0xdd/0x110\n [] ret_from_fork+0x2d/0x50\n [] ret_from_fork_asm+0x1a/0x30" }, { "lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio/vsock: Se soluciona la p\u00e9rdida de memoria de accept_queue. Como las etapas finales de la destrucci\u00f3n del socket pueden demorarse, es posible que se llame a virtio_transport_recv_listen() despu\u00e9s de que se haya vaciado accept_queue, pero antes de que se haya establecido el indicador SOCK_DONE. Como resultado, los sockets en cola despu\u00e9s del vaciado permanecer\u00edan sin eliminar, lo que provocar\u00eda una p\u00e9rdida de memoria. vsock_release __vsock_release bloquear virtio_transport_release virtio_transport_close schedule_delayed_work(cerrar_trabajo) sk_shutdown = SHUTDOWN_MASK (!) vaciar accept_queue liberar virtio_transport_recv_pkt vsock_find_bound_socket bloquear si indicador(SOCK_DONE) devolver virtio_transport_recv_listen child = vsock_create_connected (!) vsock_enqueue_accept(child) liberar close_work bloquear virtio_transport_do_close set_flag(SOCK_DONE) virtio_transport_remove_sock vsock_remove_sock vsock_remove_bound liberar Introduce una comprobaci\u00f3n de sk_shutdown para no permitir vsock_enqueue_accept() durante la destrucci\u00f3n del socket. objeto sin referencia 0xffff888109e3f800 (tama\u00f1o 2040): comm \"kworker/5:2\", pid 371, jiffies 4294940105 volcado hexadecimal (primeros 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............ backtrace (crc 9e5f4e84): [] kmem_cache_alloc_noprof+0x2c1/0x360 [] sk_prot_alloc+0x30/0x120 [] sk_alloc+0x2c/0x4b0 [] __vsock_create.constprop.0+0x2a/0x310 [] virtio_transport_recv_pkt+0x4dc/0x9a0 [] vsock_loopback_work+0xfd/0x140 [] process_one_work+0x20c/0x570 [] subproceso_trabajador+0x1bf/0x3a0 [] kthread+0xdd/0x110 [] ret_de_la_bifurcaci\u00f3n+0x2d/0x50 [] ret_de_la_bifurcaci\u00f3n_asm+0x1a/0x30" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH" }, "exploitabilityScore": 1.8, "impactScore": 3.6 } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-401" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.1.119", "matchCriteriaId": "6A2C9B37-E912-41BB-9EF9-3BC3C5E13B09" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.63", "matchCriteriaId": "8800BB45-48BC-4B52-BDA5-B1E4633F42E5" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.11.10", "matchCriteriaId": "C256F46A-AFDD-4B99-AA4F-67D9D9D2C55A" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*", "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*", "matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*", "matchCriteriaId": "E0F717D8-3014-4F84-8086-0124B2111379" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*", "matchCriteriaId": "24DBE6C7-2AAE-4818-AED2-E131F153D2FA" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:*", "matchCriteriaId": "24B88717-53F5-42AA-9B72-14C707639E3F" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc7:*:*:*:*:*:*", "matchCriteriaId": "1EF8CD82-1EAE-4254-9545-F85AB94CF90F" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/2415345042245de7601dcc6eafdbe3a3dcc9e379", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/4310902c766e371359e6c6311056ae80b5beeac9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/897617a413e0bf1c6380e3b34b2f28f450508549", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/946c7600fa2207cc8d3fbc86a518ec56f98a5813", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/d7b0ff5a866724c3ad21f2628c22a63336deec3f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/e26fa236758e8baa61a82cfd9fd4388d2e8d6a4c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" } ] }