cve-2024-53119
Vulnerability from cvelistv5
Published
2024-12-02 13:44
Modified
2024-12-02 13:44
Severity ?
EPSS score ?
Summary
virtio/vsock: Fix accept_queue memory leak
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/vmw_vsock/virtio_transport_common.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "946c7600fa22", "status": "affected", "version": "3fe356d58efa", "versionType": "git" }, { "lessThan": "897617a413e0", "status": "affected", "version": "3fe356d58efa", "versionType": "git" }, { "lessThan": "241534504224", "status": "affected", "version": "3fe356d58efa", "versionType": "git" }, { "lessThan": "d7b0ff5a8667", "status": "affected", "version": "3fe356d58efa", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/vmw_vsock/virtio_transport_common.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.10" }, { "lessThan": "5.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.119", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.63", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio/vsock: Fix accept_queue memory leak\n\nAs the final stages of socket destruction may be delayed, it is possible\nthat virtio_transport_recv_listen() will be called after the accept_queue\nhas been flushed, but before the SOCK_DONE flag has been set. As a result,\nsockets enqueued after the flush would remain unremoved, leading to a\nmemory leak.\n\nvsock_release\n __vsock_release\n lock\n virtio_transport_release\n virtio_transport_close\n schedule_delayed_work(close_work)\n sk_shutdown = SHUTDOWN_MASK\n(!) flush accept_queue\n release\n virtio_transport_recv_pkt\n vsock_find_bound_socket\n lock\n if flag(SOCK_DONE) return\n virtio_transport_recv_listen\n child = vsock_create_connected\n (!) vsock_enqueue_accept(child)\n release\nclose_work\n lock\n virtio_transport_do_close\n set_flag(SOCK_DONE)\n virtio_transport_remove_sock\n vsock_remove_sock\n vsock_remove_bound\n release\n\nIntroduce a sk_shutdown check to disallow vsock_enqueue_accept() during\nsocket destruction.\n\nunreferenced object 0xffff888109e3f800 (size 2040):\n comm \"kworker/5:2\", pid 371, jiffies 4294940105\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............\n backtrace (crc 9e5f4e84):\n [\u003cffffffff81418ff1\u003e] kmem_cache_alloc_noprof+0x2c1/0x360\n [\u003cffffffff81d27aa0\u003e] sk_prot_alloc+0x30/0x120\n [\u003cffffffff81d2b54c\u003e] sk_alloc+0x2c/0x4b0\n [\u003cffffffff81fe049a\u003e] __vsock_create.constprop.0+0x2a/0x310\n [\u003cffffffff81fe6d6c\u003e] virtio_transport_recv_pkt+0x4dc/0x9a0\n [\u003cffffffff81fe745d\u003e] vsock_loopback_work+0xfd/0x140\n [\u003cffffffff810fc6ac\u003e] process_one_work+0x20c/0x570\n [\u003cffffffff810fce3f\u003e] worker_thread+0x1bf/0x3a0\n [\u003cffffffff811070dd\u003e] kthread+0xdd/0x110\n [\u003cffffffff81044fdd\u003e] ret_from_fork+0x2d/0x50\n [\u003cffffffff8100785a\u003e] ret_from_fork_asm+0x1a/0x30" } ], "providerMetadata": { "dateUpdated": "2024-12-02T13:44:50.438Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/946c7600fa2207cc8d3fbc86a518ec56f98a5813" }, { "url": "https://git.kernel.org/stable/c/897617a413e0bf1c6380e3b34b2f28f450508549" }, { "url": "https://git.kernel.org/stable/c/2415345042245de7601dcc6eafdbe3a3dcc9e379" }, { "url": "https://git.kernel.org/stable/c/d7b0ff5a866724c3ad21f2628c22a63336deec3f" } ], "title": "virtio/vsock: Fix accept_queue memory leak", "x_generator": { "engine": "bippy-8e903de6a542" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53119", "datePublished": "2024-12-02T13:44:50.438Z", "dateReserved": "2024-11-19T17:17:24.994Z", "dateUpdated": "2024-12-02T13:44:50.438Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-53119\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-12-02T14:15:12.667\",\"lastModified\":\"2024-12-11T20:55:09.957\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvirtio/vsock: Fix accept_queue memory leak\\n\\nAs the final stages of socket destruction may be delayed, it is possible\\nthat virtio_transport_recv_listen() will be called after the accept_queue\\nhas been flushed, but before the SOCK_DONE flag has been set. As a result,\\nsockets enqueued after the flush would remain unremoved, leading to a\\nmemory leak.\\n\\nvsock_release\\n __vsock_release\\n lock\\n virtio_transport_release\\n virtio_transport_close\\n schedule_delayed_work(close_work)\\n sk_shutdown = SHUTDOWN_MASK\\n(!) flush accept_queue\\n release\\n virtio_transport_recv_pkt\\n vsock_find_bound_socket\\n lock\\n if flag(SOCK_DONE) return\\n virtio_transport_recv_listen\\n child = vsock_create_connected\\n (!) vsock_enqueue_accept(child)\\n release\\nclose_work\\n lock\\n virtio_transport_do_close\\n set_flag(SOCK_DONE)\\n virtio_transport_remove_sock\\n vsock_remove_sock\\n vsock_remove_bound\\n release\\n\\nIntroduce a sk_shutdown check to disallow vsock_enqueue_accept() during\\nsocket destruction.\\n\\nunreferenced object 0xffff888109e3f800 (size 2040):\\n comm \\\"kworker/5:2\\\", pid 371, jiffies 4294940105\\n hex dump (first 32 bytes):\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n 28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............\\n backtrace (crc 9e5f4e84):\\n [\u003cffffffff81418ff1\u003e] kmem_cache_alloc_noprof+0x2c1/0x360\\n [\u003cffffffff81d27aa0\u003e] sk_prot_alloc+0x30/0x120\\n [\u003cffffffff81d2b54c\u003e] sk_alloc+0x2c/0x4b0\\n [\u003cffffffff81fe049a\u003e] __vsock_create.constprop.0+0x2a/0x310\\n [\u003cffffffff81fe6d6c\u003e] virtio_transport_recv_pkt+0x4dc/0x9a0\\n [\u003cffffffff81fe745d\u003e] vsock_loopback_work+0xfd/0x140\\n [\u003cffffffff810fc6ac\u003e] process_one_work+0x20c/0x570\\n [\u003cffffffff810fce3f\u003e] worker_thread+0x1bf/0x3a0\\n [\u003cffffffff811070dd\u003e] kthread+0xdd/0x110\\n [\u003cffffffff81044fdd\u003e] ret_from_fork+0x2d/0x50\\n [\u003cffffffff8100785a\u003e] ret_from_fork_asm+0x1a/0x30\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio/vsock: Se soluciona la p\u00e9rdida de memoria de accept_queue. Como las etapas finales de la destrucci\u00f3n del socket pueden demorarse, es posible que se llame a virtio_transport_recv_listen() despu\u00e9s de que se haya vaciado accept_queue, pero antes de que se haya establecido el indicador SOCK_DONE. Como resultado, los sockets en cola despu\u00e9s del vaciado permanecer\u00edan sin eliminar, lo que provocar\u00eda una p\u00e9rdida de memoria. vsock_release __vsock_release bloquear virtio_transport_release virtio_transport_close schedule_delayed_work(cerrar_trabajo) sk_shutdown = SHUTDOWN_MASK (!) vaciar accept_queue liberar virtio_transport_recv_pkt vsock_find_bound_socket bloquear si indicador(SOCK_DONE) devolver virtio_transport_recv_listen child = vsock_create_connected (!) vsock_enqueue_accept(child) liberar close_work bloquear virtio_transport_do_close set_flag(SOCK_DONE) virtio_transport_remove_sock vsock_remove_sock vsock_remove_bound liberar Introduce una comprobaci\u00f3n de sk_shutdown para no permitir vsock_enqueue_accept() durante la destrucci\u00f3n del socket. objeto sin referencia 0xffff888109e3f800 (tama\u00f1o 2040): comm \\\"kworker/5:2\\\", pid 371, jiffies 4294940105 volcado hexadecimal (primeros 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............ backtrace (crc 9e5f4e84): [] kmem_cache_alloc_noprof+0x2c1/0x360 [] sk_prot_alloc+0x30/0x120 [] sk_alloc+0x2c/0x4b0 [] __vsock_create.constprop.0+0x2a/0x310 [] virtio_transport_recv_pkt+0x4dc/0x9a0 [] vsock_loopback_work+0xfd/0x140 [] process_one_work+0x20c/0x570 [] subproceso_trabajador+0x1bf/0x3a0 [] kthread+0xdd/0x110 [] ret_de_la_bifurcaci\u00f3n+0x2d/0x50 [] ret_de_la_bifurcaci\u00f3n_asm+0x1a/0x30\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-401\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.10\",\"versionEndExcluding\":\"6.1.119\",\"matchCriteriaId\":\"6A2C9B37-E912-41BB-9EF9-3BC3C5E13B09\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.63\",\"matchCriteriaId\":\"8800BB45-48BC-4B52-BDA5-B1E4633F42E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.11.10\",\"matchCriteriaId\":\"C256F46A-AFDD-4B99-AA4F-67D9D9D2C55A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C95E234-D335-4B6C-96BF-E2CEBD8654ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0F717D8-3014-4F84-8086-0124B2111379\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"24DBE6C7-2AAE-4818-AED2-E131F153D2FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"24B88717-53F5-42AA-9B72-14C707639E3F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"1EF8CD82-1EAE-4254-9545-F85AB94CF90F\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2415345042245de7601dcc6eafdbe3a3dcc9e379\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/897617a413e0bf1c6380e3b34b2f28f450508549\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/946c7600fa2207cc8d3fbc86a518ec56f98a5813\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d7b0ff5a866724c3ad21f2628c22a63336deec3f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.