CVE-2024-50186
Vulnerability from cvelistv5
Published
2024-11-08 05:38
Modified
2024-12-19 09:35
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: explicitly clear the sk pointer, when pf->create fails We have recently noticed the exact same KASAN splat as in commit 6cd4a78d962b ("net: do not leave a dangling sk pointer, when socket creation fails"). The problem is that commit did not fully address the problem, as some pf->create implementations do not use sk_common_release in their error paths. For example, we can use the same reproducer as in the above commit, but changing ping to arping. arping uses AF_PACKET socket and if packet_create fails, it will just sk_free the allocated sk object. While we could chase all the pf->create implementations and make sure they NULL the freed sk object on error from the socket, we can't guarantee future protocols will not make the same mistake. So it is easier to just explicitly NULL the sk pointer upon return from pf->create in __sock_create. We do know that pf->create always releases the allocated sk object on error, so if the pointer is not NULL, it is definitely dangling.
Impacted products
Vendor Product Version
Linux Linux Version: 6.10
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "daf462ff3cde6ecf22b98d9ae770232c10d28de2",
              "status": "affected",
              "version": "78e4aa528a7b1204219d808310524344f627d069",
              "versionType": "git"
            },
            {
              "lessThan": "b7d22a79ff4e962b8af5ffe623abd1d6c179eb9f",
              "status": "affected",
              "version": "893eeba94c40d513cd0fe6539330ebdaea208c0e",
              "versionType": "git"
            },
            {
              "lessThan": "563e6892e21d6ecabdf62103fc4e7b326d212334",
              "status": "affected",
              "version": "454c454ed645fed051216b79622f7cb69c1638f5",
              "versionType": "git"
            },
            {
              "lessThan": "8e1b72fd74bf9da3b099d09857f4e7f114f38e12",
              "status": "affected",
              "version": "6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2",
              "versionType": "git"
            },
            {
              "lessThan": "631083143315d1b192bd7d915b967b37819e88ea",
              "status": "affected",
              "version": "6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.57",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: explicitly clear the sk pointer, when pf-\u003ecreate fails\n\nWe have recently noticed the exact same KASAN splat as in commit\n6cd4a78d962b (\"net: do not leave a dangling sk pointer, when socket\ncreation fails\"). The problem is that commit did not fully address the\nproblem, as some pf-\u003ecreate implementations do not use sk_common_release\nin their error paths.\n\nFor example, we can use the same reproducer as in the above commit, but\nchanging ping to arping. arping uses AF_PACKET socket and if packet_create\nfails, it will just sk_free the allocated sk object.\n\nWhile we could chase all the pf-\u003ecreate implementations and make sure they\nNULL the freed sk object on error from the socket, we can\u0027t guarantee\nfuture protocols will not make the same mistake.\n\nSo it is easier to just explicitly NULL the sk pointer upon return from\npf-\u003ecreate in __sock_create. We do know that pf-\u003ecreate always releases the\nallocated sk object on error, so if the pointer is not NULL, it is\ndefinitely dangling."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T09:35:02.469Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/daf462ff3cde6ecf22b98d9ae770232c10d28de2"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7d22a79ff4e962b8af5ffe623abd1d6c179eb9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/563e6892e21d6ecabdf62103fc4e7b326d212334"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e1b72fd74bf9da3b099d09857f4e7f114f38e12"
        },
        {
          "url": "https://git.kernel.org/stable/c/631083143315d1b192bd7d915b967b37819e88ea"
        }
      ],
      "title": "net: explicitly clear the sk pointer, when pf-\u003ecreate fails",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50186",
    "datePublished": "2024-11-08T05:38:27.272Z",
    "dateReserved": "2024-10-21T19:36:19.967Z",
    "dateUpdated": "2024-12-19T09:35:02.469Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-50186\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-08T06:15:15.700\",\"lastModified\":\"2024-12-09T23:23:23.217\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: explicitly clear the sk pointer, when pf-\u003ecreate fails\\n\\nWe have recently noticed the exact same KASAN splat as in commit\\n6cd4a78d962b (\\\"net: do not leave a dangling sk pointer, when socket\\ncreation fails\\\"). The problem is that commit did not fully address the\\nproblem, as some pf-\u003ecreate implementations do not use sk_common_release\\nin their error paths.\\n\\nFor example, we can use the same reproducer as in the above commit, but\\nchanging ping to arping. arping uses AF_PACKET socket and if packet_create\\nfails, it will just sk_free the allocated sk object.\\n\\nWhile we could chase all the pf-\u003ecreate implementations and make sure they\\nNULL the freed sk object on error from the socket, we can\u0027t guarantee\\nfuture protocols will not make the same mistake.\\n\\nSo it is easier to just explicitly NULL the sk pointer upon return from\\npf-\u003ecreate in __sock_create. We do know that pf-\u003ecreate always releases the\\nallocated sk object on error, so if the pointer is not NULL, it is\\ndefinitely dangling.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: borrar expl\u00edcitamente el puntero sk, cuando pf-\u0026gt;create falla Recientemente hemos notado exactamente el mismo splat de KASAN que en el commit 6cd4a78d962b (\\\"net: no deje un puntero sk colgando, cuando falla la creaci\u00f3n del socket\\\"). El problema es que el commit no solucion\u00f3 completamente el problema, ya que algunas implementaciones de pf-\u0026gt;create no usan sk_common_release en sus rutas de error. Por ejemplo, podemos usar el mismo reproductor que en el commit anterior, pero cambiando ping a arping. arping usa el socket AF_PACKET y si packet_create falla, solo sk_free el objeto sk asignado. Si bien podr\u00edamos perseguir todas las implementaciones de pf-\u0026gt;create y asegurarnos de que anulen el objeto sk liberado en caso de error del socket, no podemos garantizar que los protocolos futuros no cometan el mismo error. Por lo tanto, es m\u00e1s f\u00e1cil simplemente convertir expl\u00edcitamente en NULL el puntero sk al regresar de pf-\u0026gt;create en __sock_create. Sabemos que pf-\u0026gt;create siempre libera el objeto sk asignado en caso de error, por lo que si el puntero no es NULL, definitivamente est\u00e1 colgado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.15.162\",\"versionEndExcluding\":\"5.15.168\",\"matchCriteriaId\":\"99F757B5-48A7-4EB4-AA02-72DAFF9A9814\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.96\",\"versionEndExcluding\":\"6.1.113\",\"matchCriteriaId\":\"0A2FE2CA-C4B3-41E4-8DBD-D5F345CA4FCC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6.36\",\"versionEndExcluding\":\"6.6.57\",\"matchCriteriaId\":\"BFB468C3-C495-4723-B812-04ABE9D6A1F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.9.7\",\"versionEndExcluding\":\"6.10\",\"matchCriteriaId\":\"FA5E7970-A460-40EE-9BDE-6FFF21149DDA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.10\",\"versionEndExcluding\":\"6.11.4\",\"matchCriteriaId\":\"2ADD5DBE-B520-479C-9FCD-6C8FA848E789\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/563e6892e21d6ecabdf62103fc4e7b326d212334\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/631083143315d1b192bd7d915b967b37819e88ea\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8e1b72fd74bf9da3b099d09857f4e7f114f38e12\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b7d22a79ff4e962b8af5ffe623abd1d6c179eb9f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/daf462ff3cde6ecf22b98d9ae770232c10d28de2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.