{ "id": "CVE-2024-50126", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-11-05T18:15:15.607", "lastModified": "2024-12-11T15:15:12.797", "vulnStatus": "Modified", "cveTags": [], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: use RCU read-side critical section in taprio_dump()\n\nFix possible use-after-free in 'taprio_dump()' by adding RCU\nread-side critical section there. Never seen on x86 but\nfound on a KASAN-enabled arm64 system when investigating\nhttps://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:\n\n[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0\n[T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862\n[T15862]\n[T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2\n[T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024\n[T15862] Call trace:\n[T15862] dump_backtrace+0x20c/0x220\n[T15862] show_stack+0x2c/0x40\n[T15862] dump_stack_lvl+0xf8/0x174\n[T15862] print_report+0x170/0x4d8\n[T15862] kasan_report+0xb8/0x1d4\n[T15862] __asan_report_load4_noabort+0x20/0x2c\n[T15862] taprio_dump+0xa0c/0xbb0\n[T15862] tc_fill_qdisc+0x540/0x1020\n[T15862] qdisc_notify.isra.0+0x330/0x3a0\n[T15862] tc_modify_qdisc+0x7b8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Allocated by task 15857:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_alloc_info+0x40/0x60\n[T15862] __kasan_kmalloc+0xd4/0xe0\n[T15862] __kmalloc_cache_noprof+0x194/0x334\n[T15862] taprio_change+0x45c/0x2fe0\n[T15862] tc_modify_qdisc+0x6a8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Freed by task 6192:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_free_info+0x4c/0x80\n[T15862] poison_slab_object+0x110/0x160\n[T15862] __kasan_slab_free+0x3c/0x74\n[T15862] kfree+0x134/0x3c0\n[T15862] taprio_free_sched_cb+0x18c/0x220\n[T15862] rcu_core+0x920/0x1b7c\n[T15862] rcu_core_si+0x10/0x1c\n[T15862] handle_softirqs+0x2e8/0xd64\n[T15862] __do_softirq+0x14/0x20" }, { "lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: sched: usar la secci\u00f3n cr\u00edtica del lado de lectura de RCU en taprio_dump(). Corrija el posible use-after-free en 'taprio_dump()' agregando all\u00ed la secci\u00f3n cr\u00edtica del lado de lectura de RCU. Nunca visto en x86 pero encontrado en un sistema arm64 habilitado para KASAN al investigar https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa: [T15862] ERROR: KASAN: slab-use-after-free en taprio_dump+0xa0c/0xbb0 [T15862] Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff0000d4bb88f8 por la tarea repro/15862 [T15862] [T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro No contaminado 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2 [T15862] Nombre del hardware: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 24/05/2024 [T15862] Seguimiento de llamadas: [T15862] dump_backtrace+0x20c/0x220 [T15862] show_stack+0x2c/0x40 [T15862] dump_stack_lvl+0xf8/0x174 [T15862] print_report+0x170/0x4d8 [T15862] kasan_report+0xb8/0x1d4 [T15862] __asan_report_load4_noabort+0x20/0x2c [T15862] taprio_dump+0xa0c/0xbb0 [T15862] El comando tc_fill_qdisc_notify.isra.0_0x330_0x3a0_tc_modify_qdisc_0x7b8_0x1838_rtnetlink_rcv_msg_0x3c8_0xc20_netlink_rcv_skb_0x1f8_0x3d4_rtnetlink_rcv_0x28_0x40_netlink_unicast_0x51c_0x790_netlink_sendmsg_0x79c_0xc20_tc_sendmsg_0x1a ... [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Asignado por la tarea 15857: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_alloc_info+0x40/0x60 [T15862] __kasan_kmalloc+0xd4/0xe0 [T15862] __kmalloc_cache_noprof+0x194/0x334 [T15862] taprio_change+0x45c/0x2fe0 [T15862] tc_modify_qdisc+0x6a8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Liberado por la tarea 6192: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_free_info+0x4c/0x80 [T15862] poison_slab_object+0x110/0x160 [T15862] __kasan_slab_free+0x3c/0x74 [T15862] kfree+0x134/0x3c0 [T15862] taprio_free_sched_cb+0x18c/0x220 [T15862] rcu_core+0x920/0x1b7c [T15862] rcu_core_si+0x10/0x1c [T15862] handle_softirqs+0x2e8/0xd64 [T15862] __do_softirq+0x14/0x20" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH" }, "exploitabilityScore": 1.8, "impactScore": 5.9 }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH" }, "exploitabilityScore": 1.8, "impactScore": 5.9 } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-416" } ] }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [ { "lang": "en", "value": "CWE-416" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.6.59", "matchCriteriaId": "73E6DF5B-2C48-44A0-904B-A1EC3684F9D1" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.11.6", "matchCriteriaId": "E4486B12-007B-4794-9857-F07145637AA1" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*", "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*", "matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*", "matchCriteriaId": "E0F717D8-3014-4F84-8086-0124B2111379" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/5d282467245f267c0b9ada3f7f309ff838521536", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/b22db8b8befe90b61c98626ca1a2fbb0505e9fe3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/b911fa9e92ee586e36479ad57b88f20471acaca1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/e4369cb6acf6b895ac2453cc1cdf2f4326122c6d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] } ] }