We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-50036

net: do not delay dst_entries_add() in dst_release()



Description

In the Linux kernel, the following vulnerability has been resolved: net: do not delay dst_entries_add() in dst_release() dst_entries_add() uses per-cpu data that might be freed at netns dismantle from ip6_route_net_exit() calling dst_entries_destroy() Before ip6_route_net_exit() can be called, we release all the dsts associated with this netns, via calls to dst_release(), which waits an rcu grace period before calling dst_destroy() dst_entries_add() use in dst_destroy() is racy, because dst_entries_destroy() could have been called already. Decrementing the number of dsts must happen sooner. Notes: 1) in CONFIG_XFRM case, dst_destroy() can call dst_release_immediate(child), this might also cause UAF if the child does not have DST_NOCOUNT set. IPSEC maintainers might take a look and see how to address this. 2) There is also discussion about removing this count of dst, which might happen in future kernels.

Reserved 2024-10-21 | Published 2024-10-21 | Updated 2024-11-19 | Assigner Linux

Product status

Default status
unaffected

f88649721268 before 547087307bc1
affected

f88649721268 before e3915f028b1f
affected

f88649721268 before a60db84f772f
affected

f88649721268 before eae7435b48ff
affected

f88649721268 before 3c7c918ec0aa
affected

f88649721268 before ac888d58869b
affected

Default status
affected

3.16
affected

Any version before 3.16
unaffected

5.10.230
unaffected

5.15.172
unaffected

6.1.117
unaffected

6.6.57
unaffected

6.11.4
unaffected

6.12
unaffected

References

git.kernel.org/...c/547087307bc19417b4f2bc85ba9664a3e8db5a6a

git.kernel.org/...c/e3915f028b1f1c37e87542e5aadd33728c259d96

git.kernel.org/...c/a60db84f772fc3a906c6c4072f9207579c41166f

git.kernel.org/...c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd

git.kernel.org/...c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc

git.kernel.org/...c/ac888d58869bb99753e7652be19a151df9ecb35d

cve.org (CVE-2024-50036)

nvd.nist.gov (CVE-2024-50036)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-50036

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.