ghsa-6gx2-28h4-32x9
Vulnerability from github
Published
2024-11-09 12:30
Modified
2024-11-14 18:30
Details

In the Linux kernel, the following vulnerability has been resolved:

macsec: Fix use-after-free while sending the offloading packet

KASAN reports the following UAF. The metadata_dst, which is used to store the SCI value for macsec offload, is already freed by metadata_dst_free() in macsec_free_netdev(), while driver still use it for sending the packet.

To fix this issue, dst_release() is used instead to release metadata_dst. So it is not freed instantly in macsec_free_netdev() if still referenced by skb.

BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714 [...] Workqueue: mld mld_ifc_work Call Trace: dump_stack_lvl+0x51/0x60 print_report+0xc1/0x600 kasan_report+0xab/0xe0 mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] dev_hard_start_xmit+0x120/0x530 sch_direct_xmit+0x149/0x11e0 __qdisc_run+0x3ad/0x1730 __dev_queue_xmit+0x1196/0x2ed0 vlan_dev_hard_start_xmit+0x32e/0x510 [8021q] dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 macsec_start_xmit+0x13e9/0x2340 dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 ip6_finish_output2+0x923/0x1a70 ip6_finish_output+0x2d7/0x970 ip6_output+0x1ce/0x3a0 NF_HOOK.constprop.0+0x15f/0x190 mld_sendpack+0x59a/0xbd0 mld_ifc_work+0x48a/0xa80 process_one_work+0x5aa/0xe50 worker_thread+0x79c/0x1290 kthread+0x28f/0x350 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x11/0x20

Allocated by task 3922: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x77/0x90 __kmalloc_noprof+0x188/0x400 metadata_dst_alloc+0x1f/0x4e0 macsec_newlink+0x914/0x1410 __rtnl_newlink+0xe08/0x15b0 rtnl_newlink+0x5f/0x90 rtnetlink_rcv_msg+0x667/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 _syssendmsg+0x52e/0x6a0 _sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Freed by task 4011: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x50 poison_slab_object+0x10c/0x190 __kasan_slab_free+0x11/0x30 kfree+0xe0/0x290 macsec_free_netdev+0x3f/0x140 netdev_run_todo+0x450/0xc70 rtnetlink_rcv_msg+0x66f/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 _syssendmsg+0x52e/0x6a0 _sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2024-50261"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-09T11:15:11Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacsec: Fix use-after-free while sending the offloading packet\n\nKASAN reports the following UAF. The metadata_dst, which is used to\nstore the SCI value for macsec offload, is already freed by\nmetadata_dst_free() in macsec_free_netdev(), while driver still use it\nfor sending the packet.\n\nTo fix this issue, dst_release() is used instead to release\nmetadata_dst. So it is not freed instantly in macsec_free_netdev() if\nstill referenced by skb.\n\n BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]\n Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714\n [...]\n Workqueue: mld mld_ifc_work\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x51/0x60\n  print_report+0xc1/0x600\n  kasan_report+0xab/0xe0\n  mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]\n  dev_hard_start_xmit+0x120/0x530\n  sch_direct_xmit+0x149/0x11e0\n  __qdisc_run+0x3ad/0x1730\n  __dev_queue_xmit+0x1196/0x2ed0\n  vlan_dev_hard_start_xmit+0x32e/0x510 [8021q]\n  dev_hard_start_xmit+0x120/0x530\n  __dev_queue_xmit+0x14a7/0x2ed0\n  macsec_start_xmit+0x13e9/0x2340\n  dev_hard_start_xmit+0x120/0x530\n  __dev_queue_xmit+0x14a7/0x2ed0\n  ip6_finish_output2+0x923/0x1a70\n  ip6_finish_output+0x2d7/0x970\n  ip6_output+0x1ce/0x3a0\n  NF_HOOK.constprop.0+0x15f/0x190\n  mld_sendpack+0x59a/0xbd0\n  mld_ifc_work+0x48a/0xa80\n  process_one_work+0x5aa/0xe50\n  worker_thread+0x79c/0x1290\n  kthread+0x28f/0x350\n  ret_from_fork+0x2d/0x70\n  ret_from_fork_asm+0x11/0x20\n  \u003c/TASK\u003e\n\n Allocated by task 3922:\n  kasan_save_stack+0x20/0x40\n  kasan_save_track+0x10/0x30\n  __kasan_kmalloc+0x77/0x90\n  __kmalloc_noprof+0x188/0x400\n  metadata_dst_alloc+0x1f/0x4e0\n  macsec_newlink+0x914/0x1410\n  __rtnl_newlink+0xe08/0x15b0\n  rtnl_newlink+0x5f/0x90\n  rtnetlink_rcv_msg+0x667/0xa80\n  netlink_rcv_skb+0x12c/0x360\n  netlink_unicast+0x551/0x770\n  netlink_sendmsg+0x72d/0xbd0\n  __sock_sendmsg+0xc5/0x190\n  ____sys_sendmsg+0x52e/0x6a0\n  ___sys_sendmsg+0xeb/0x170\n  __sys_sendmsg+0xb5/0x140\n  do_syscall_64+0x4c/0x100\n  entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n Freed by task 4011:\n  kasan_save_stack+0x20/0x40\n  kasan_save_track+0x10/0x30\n  kasan_save_free_info+0x37/0x50\n  poison_slab_object+0x10c/0x190\n  __kasan_slab_free+0x11/0x30\n  kfree+0xe0/0x290\n  macsec_free_netdev+0x3f/0x140\n  netdev_run_todo+0x450/0xc70\n  rtnetlink_rcv_msg+0x66f/0xa80\n  netlink_rcv_skb+0x12c/0x360\n  netlink_unicast+0x551/0x770\n  netlink_sendmsg+0x72d/0xbd0\n  __sock_sendmsg+0xc5/0x190\n  ____sys_sendmsg+0x52e/0x6a0\n  ___sys_sendmsg+0xeb/0x170\n  __sys_sendmsg+0xb5/0x140\n  do_syscall_64+0x4c/0x100\n  entry_SYSCALL_64_after_hwframe+0x4b/0x53",
  "id": "GHSA-6gx2-28h4-32x9",
  "modified": "2024-11-14T18:30:33Z",
  "published": "2024-11-09T12:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50261"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4614640f1d5c93c22272117dc256e9940ccac8e8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/872932cf75cf859804370a265dd58118129386fa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9f5ae743dbe9a2458540a7d35fff0f990df025cf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f1e54d11b210b53d418ff1476c6b58a2f434dfc0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.