CVE-2024-50186
Vulnerability from cvelistv5
Published
2024-11-08 05:38
Modified
2024-12-19 09:35
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: explicitly clear the sk pointer, when pf->create fails
We have recently noticed the exact same KASAN splat as in commit
6cd4a78d962b ("net: do not leave a dangling sk pointer, when socket
creation fails"). The problem is that commit did not fully address the
problem, as some pf->create implementations do not use sk_common_release
in their error paths.
For example, we can use the same reproducer as in the above commit, but
changing ping to arping. arping uses AF_PACKET socket and if packet_create
fails, it will just sk_free the allocated sk object.
While we could chase all the pf->create implementations and make sure they
NULL the freed sk object on error from the socket, we can't guarantee
future protocols will not make the same mistake.
So it is easier to just explicitly NULL the sk pointer upon return from
pf->create in __sock_create. We do know that pf->create always releases the
allocated sk object on error, so if the pointer is not NULL, it is
definitely dangling.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 78e4aa528a7b1204219d808310524344f627d069 Version: 893eeba94c40d513cd0fe6539330ebdaea208c0e Version: 454c454ed645fed051216b79622f7cb69c1638f5 Version: 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2 Version: 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/socket.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "daf462ff3cde6ecf22b98d9ae770232c10d28de2", "status": "affected", "version": "78e4aa528a7b1204219d808310524344f627d069", "versionType": "git" }, { "lessThan": "b7d22a79ff4e962b8af5ffe623abd1d6c179eb9f", "status": "affected", "version": "893eeba94c40d513cd0fe6539330ebdaea208c0e", "versionType": "git" }, { "lessThan": "563e6892e21d6ecabdf62103fc4e7b326d212334", "status": "affected", "version": "454c454ed645fed051216b79622f7cb69c1638f5", "versionType": "git" }, { "lessThan": "8e1b72fd74bf9da3b099d09857f4e7f114f38e12", "status": "affected", "version": "6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2", "versionType": "git" }, { "lessThan": "631083143315d1b192bd7d915b967b37819e88ea", "status": "affected", "version": "6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/socket.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.10" }, { "lessThan": "6.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.168", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.113", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.57", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.4", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: explicitly clear the sk pointer, when pf-\u003ecreate fails\n\nWe have recently noticed the exact same KASAN splat as in commit\n6cd4a78d962b (\"net: do not leave a dangling sk pointer, when socket\ncreation fails\"). The problem is that commit did not fully address the\nproblem, as some pf-\u003ecreate implementations do not use sk_common_release\nin their error paths.\n\nFor example, we can use the same reproducer as in the above commit, but\nchanging ping to arping. arping uses AF_PACKET socket and if packet_create\nfails, it will just sk_free the allocated sk object.\n\nWhile we could chase all the pf-\u003ecreate implementations and make sure they\nNULL the freed sk object on error from the socket, we can\u0027t guarantee\nfuture protocols will not make the same mistake.\n\nSo it is easier to just explicitly NULL the sk pointer upon return from\npf-\u003ecreate in __sock_create. We do know that pf-\u003ecreate always releases the\nallocated sk object on error, so if the pointer is not NULL, it is\ndefinitely dangling." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:35:02.469Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/daf462ff3cde6ecf22b98d9ae770232c10d28de2" }, { "url": "https://git.kernel.org/stable/c/b7d22a79ff4e962b8af5ffe623abd1d6c179eb9f" }, { "url": "https://git.kernel.org/stable/c/563e6892e21d6ecabdf62103fc4e7b326d212334" }, { "url": "https://git.kernel.org/stable/c/8e1b72fd74bf9da3b099d09857f4e7f114f38e12" }, { "url": "https://git.kernel.org/stable/c/631083143315d1b192bd7d915b967b37819e88ea" } ], "title": "net: explicitly clear the sk pointer, when pf-\u003ecreate fails", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50186", "datePublished": "2024-11-08T05:38:27.272Z", "dateReserved": "2024-10-21T19:36:19.967Z", "dateUpdated": "2024-12-19T09:35:02.469Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-50186\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-08T06:15:15.700\",\"lastModified\":\"2024-12-09T23:23:23.217\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: explicitly clear the sk pointer, when pf-\u003ecreate fails\\n\\nWe have recently noticed the exact same KASAN splat as in commit\\n6cd4a78d962b (\\\"net: do not leave a dangling sk pointer, when socket\\ncreation fails\\\"). The problem is that commit did not fully address the\\nproblem, as some pf-\u003ecreate implementations do not use sk_common_release\\nin their error paths.\\n\\nFor example, we can use the same reproducer as in the above commit, but\\nchanging ping to arping. arping uses AF_PACKET socket and if packet_create\\nfails, it will just sk_free the allocated sk object.\\n\\nWhile we could chase all the pf-\u003ecreate implementations and make sure they\\nNULL the freed sk object on error from the socket, we can\u0027t guarantee\\nfuture protocols will not make the same mistake.\\n\\nSo it is easier to just explicitly NULL the sk pointer upon return from\\npf-\u003ecreate in __sock_create. We do know that pf-\u003ecreate always releases the\\nallocated sk object on error, so if the pointer is not NULL, it is\\ndefinitely dangling.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: borrar expl\u00edcitamente el puntero sk, cuando pf-\u0026gt;create falla Recientemente hemos notado exactamente el mismo splat de KASAN que en el commit 6cd4a78d962b (\\\"net: no deje un puntero sk colgando, cuando falla la creaci\u00f3n del socket\\\"). El problema es que el commit no solucion\u00f3 completamente el problema, ya que algunas implementaciones de pf-\u0026gt;create no usan sk_common_release en sus rutas de error. Por ejemplo, podemos usar el mismo reproductor que en el commit anterior, pero cambiando ping a arping. arping usa el socket AF_PACKET y si packet_create falla, solo sk_free el objeto sk asignado. Si bien podr\u00edamos perseguir todas las implementaciones de pf-\u0026gt;create y asegurarnos de que anulen el objeto sk liberado en caso de error del socket, no podemos garantizar que los protocolos futuros no cometan el mismo error. Por lo tanto, es m\u00e1s f\u00e1cil simplemente convertir expl\u00edcitamente en NULL el puntero sk al regresar de pf-\u0026gt;create en __sock_create. Sabemos que pf-\u0026gt;create siempre libera el objeto sk asignado en caso de error, por lo que si el puntero no es NULL, definitivamente est\u00e1 colgado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.15.162\",\"versionEndExcluding\":\"5.15.168\",\"matchCriteriaId\":\"99F757B5-48A7-4EB4-AA02-72DAFF9A9814\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.96\",\"versionEndExcluding\":\"6.1.113\",\"matchCriteriaId\":\"0A2FE2CA-C4B3-41E4-8DBD-D5F345CA4FCC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6.36\",\"versionEndExcluding\":\"6.6.57\",\"matchCriteriaId\":\"BFB468C3-C495-4723-B812-04ABE9D6A1F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.9.7\",\"versionEndExcluding\":\"6.10\",\"matchCriteriaId\":\"FA5E7970-A460-40EE-9BDE-6FFF21149DDA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.10\",\"versionEndExcluding\":\"6.11.4\",\"matchCriteriaId\":\"2ADD5DBE-B520-479C-9FCD-6C8FA848E789\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/563e6892e21d6ecabdf62103fc4e7b326d212334\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/631083143315d1b192bd7d915b967b37819e88ea\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8e1b72fd74bf9da3b099d09857f4e7f114f38e12\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b7d22a79ff4e962b8af5ffe623abd1d6c179eb9f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/daf462ff3cde6ecf22b98d9ae770232c10d28de2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.