cve-2024-44934
Vulnerability from cvelistv5
Published
2024-08-26 10:11
Modified
2024-12-19 09:18
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bridge: mcast: wait for previous gc cycles when removing port
syzbot hit a use-after-free[1] which is caused because the bridge doesn't
make sure that all previous garbage has been collected when removing a
port. What happens is:
CPU 1 CPU 2
start gc cycle remove port
acquire gc lock first
wait for lock
call br_multicasg_gc() directly
acquire lock now but free port
the port can be freed
while grp timers still
running
Make sure all previous gc cycles have finished by using flush_work before
freeing the port.
[1]
BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861
Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699
CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861
call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers+0x74b/0xaf0 kernel/time/timer.c:2417
__run_timer_base kernel/time/timer.c:2428 [inline]
__run_timer_base kernel/time/timer.c:2421 [inline]
run_timer_base+0x111/0x190 kernel/time/timer.c:2437
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: e12cec65b5546f19217e26aafb8add6e2fadca18 Version: e12cec65b5546f19217e26aafb8add6e2fadca18 Version: e12cec65b5546f19217e26aafb8add6e2fadca18 Version: e12cec65b5546f19217e26aafb8add6e2fadca18 Version: e12cec65b5546f19217e26aafb8add6e2fadca18 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-44934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:27:51.533304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T17:32:55.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bridge/br_multicast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e16828020c674b3be85f52685e8b80f9008f50f",
"status": "affected",
"version": "e12cec65b5546f19217e26aafb8add6e2fadca18",
"versionType": "git"
},
{
"lessThan": "0d8b26e10e680c01522d7cc14abe04c3265a928f",
"status": "affected",
"version": "e12cec65b5546f19217e26aafb8add6e2fadca18",
"versionType": "git"
},
{
"lessThan": "e3145ca904fa8dbfd1a5bf0187905bc117b0efce",
"status": "affected",
"version": "e12cec65b5546f19217e26aafb8add6e2fadca18",
"versionType": "git"
},
{
"lessThan": "b2f794b168cf560682ff976b255aa6d29d14a658",
"status": "affected",
"version": "e12cec65b5546f19217e26aafb8add6e2fadca18",
"versionType": "git"
},
{
"lessThan": "92c4ee25208d0f35dafc3213cdf355fbe449e078",
"status": "affected",
"version": "e12cec65b5546f19217e26aafb8add6e2fadca18",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bridge/br_multicast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mcast: wait for previous gc cycles when removing port\n\nsyzbot hit a use-after-free[1] which is caused because the bridge doesn\u0027t\nmake sure that all previous garbage has been collected when removing a\nport. What happens is:\n CPU 1 CPU 2\n start gc cycle remove port\n acquire gc lock first\n wait for lock\n call br_multicasg_gc() directly\n acquire lock now but free port\n the port can be freed\n while grp timers still\n running\n\nMake sure all previous gc cycles have finished by using flush_work before\nfreeing the port.\n\n[1]\n BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\n Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699\n\n CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n Call Trace:\n \u003cIRQ\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\n call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792\n expire_timers kernel/time/timer.c:1843 [inline]\n __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417\n __run_timer_base kernel/time/timer.c:2428 [inline]\n __run_timer_base kernel/time/timer.c:2421 [inline]\n run_timer_base+0x111/0x190 kernel/time/timer.c:2437"
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T09:18:26.096Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f"
},
{
"url": "https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f"
},
{
"url": "https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce"
},
{
"url": "https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658"
},
{
"url": "https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078"
}
],
"title": "net: bridge: mcast: wait for previous gc cycles when removing port",
"x_generator": {
"engine": "bippy-5f407fcff5a0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-44934",
"datePublished": "2024-08-26T10:11:25.809Z",
"dateReserved": "2024-08-21T05:34:56.664Z",
"dateUpdated": "2024-12-19T09:18:26.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-44934\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-08-26T11:15:05.593\",\"lastModified\":\"2024-08-27T16:07:58.727\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: bridge: mcast: wait for previous gc cycles when removing port\\n\\nsyzbot hit a use-after-free[1] which is caused because the bridge doesn\u0027t\\nmake sure that all previous garbage has been collected when removing a\\nport. What happens is:\\n CPU 1 CPU 2\\n start gc cycle remove port\\n acquire gc lock first\\n wait for lock\\n call br_multicasg_gc() directly\\n acquire lock now but free port\\n the port can be freed\\n while grp timers still\\n running\\n\\nMake sure all previous gc cycles have finished by using flush_work before\\nfreeing the port.\\n\\n[1]\\n BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\\n Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699\\n\\n CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0\\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\\n Call Trace:\\n \u003cIRQ\u003e\\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0xc3/0x620 mm/kasan/report.c:488\\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\\n br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\\n call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792\\n expire_timers kernel/time/timer.c:1843 [inline]\\n __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417\\n __run_timer_base kernel/time/timer.c:2428 [inline]\\n __run_timer_base kernel/time/timer.c:2421 [inline]\\n run_timer_base+0x111/0x190 kernel/time/timer.c:2437\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net: bridge: mcast: espere los ciclos de gc anteriores al eliminar el puerto syzbot alcanz\u00f3 un use-after-free [1] que se debe a que el puente no se asegura de que todos Se ha recogido basura anterior al eliminar un puerto. Lo que sucede es: CPU 1 CPU 2 iniciar el ciclo de gc eliminar el puerto adquirir el bloqueo de gc primero esperar la llamada de bloqueo br_multicasg_gc() adquirir directamente el bloqueo ahora pero liberar el puerto el puerto se puede liberar mientras los temporizadores de grp a\u00fan se ejecutan Aseg\u00farese de que todos los ciclos de gc anteriores hayan finalizado usando flush_work antes de liberar el puerto. [1] ERROR: KASAN: slab-use-after-free en br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff888071d6d000 por tarea syz.5.1232/9699 CPU: 1 PID: 9699 Comm : syz.5.1232 No contaminado 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/06/2024 Seguimiento de llamadas: __dump_stack lib/dump_stack.c :88 [en l\u00ednea] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [en l\u00ednea] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm /kasan/report.c:601 br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1843 [en l\u00ednea] __run_timers +0x74b/0xaf0 kernel/time/timer.c:2417 __run_timer_base kernel/time/timer.c:2428 [en l\u00ednea] __run_timer_base kernel/time/timer.c:2421 [en l\u00ednea] run_timer_base+0x111/0x190 kernel/time/timer. c:2437\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.10\",\"versionEndExcluding\":\"5.15.165\",\"matchCriteriaId\":\"F3BF38C6-4F30-4588-B942-87545E62CA7D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.105\",\"matchCriteriaId\":\"89BEB24B-0F37-4C92-A397-564DA7CD8EE9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.46\",\"matchCriteriaId\":\"FA11941E-81FB-484C-B583-881EEB488340\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.10.5\",\"matchCriteriaId\":\"D074AE50-4A5E-499C-A2FD-75FD60DEA560\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.