ghsa-x7mx-xj8x-r7p3
Vulnerability from github
Published
2024-08-17 09:30
Modified
2025-11-04 00:31
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/iwcm: Fix a use-after-free related to destroying CM IDs

iw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with an existing struct iw_cm_id (cm_id) as follows:

    conn_id->cm_id.iw = cm_id;
    cm_id->context = conn_id;
    cm_id->cm_handler = cma_iw_handler;

rdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make sure that cm_work_handler() does not trigger a use-after-free by only freeing of the struct rdma_id_private after all pending work has finished.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-42285"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-17T09:15:09Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix a use-after-free related to destroying CM IDs\n\niw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with\nan existing struct iw_cm_id (cm_id) as follows:\n\n        conn_id-\u003ecm_id.iw = cm_id;\n        cm_id-\u003econtext = conn_id;\n        cm_id-\u003ecm_handler = cma_iw_handler;\n\nrdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make\nsure that cm_work_handler() does not trigger a use-after-free by only\nfreeing of the struct rdma_id_private after all pending work has finished.",
  "id": "GHSA-x7mx-xj8x-r7p3",
  "modified": "2025-11-04T00:31:12Z",
  "published": "2024-08-17T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42285"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/557d035fe88d78dd51664f4dc0e1896c04c97cf6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7f25f296fc9bd0435be14e89bf657cd615a23574"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/94ee7ff99b87435ec63211f632918dc7f44dac79"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aee2424246f9f1dadc33faa78990c1e2eb7826e4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d91d253c87fd1efece521ff2612078a35af673c6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc8074b8901caabb97c2d353abd6b4e7fa5a59a5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee39384ee787e86e9db4efb843818ef0ea9cb8ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ff5bbbdee08287d75d72e65b72a2b76d9637892a"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.