We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-53140

netlink: terminate outstanding dump on socket close



Description

In the Linux kernel, the following vulnerability has been resolved: netlink: terminate outstanding dump on socket close Netlink supports iterative dumping of data. It provides the families the following ops: - start - (optional) kicks off the dumping process - dump - actual dump helper, keeps getting called until it returns 0 - done - (optional) pairs with .start, can be used for cleanup The whole process is asynchronous and the repeated calls to .dump don't actually happen in a tight loop, but rather are triggered in response to recvmsg() on the socket. This gives the user full control over the dump, but also means that the user can close the socket without getting to the end of the dump. To make sure .start is always paired with .done we check if there is an ongoing dump before freeing the socket, and if so call .done. The complication is that sockets can get freed from BH and .done is allowed to sleep. So we use a workqueue to defer the call, when needed. Unfortunately this does not work correctly. What we defer is not the cleanup but rather releasing a reference on the socket. We have no guarantee that we own the last reference, if someone else holds the socket they may release it in BH and we're back to square one. The whole dance, however, appears to be unnecessary. Only the user can interact with dumps, so we can clean up when socket is closed. And close always happens in process context. Some async code may still access the socket after close, queue notification skbs to it etc. but no dumps can start, end or otherwise make progress. Delete the workqueue and flush the dump state directly from the release handler. Note that further cleanup is possible in -next, for instance we now always call .done before releasing the main module reference, so dump doesn't have to take a reference of its own.

Reserved 2024-11-19 | Published 2024-12-04 | Updated 2024-12-19 | Assigner Linux

Product status

Default status
unaffected

ed5d7788a934a4b6d6d025e948ed4da496b4f12e before 114a61d8d94ae3a43b82446cf737fd757021b834
affected

ed5d7788a934a4b6d6d025e948ed4da496b4f12e before 598c956b62699c3753929602560d8df322e60559
affected

ed5d7788a934a4b6d6d025e948ed4da496b4f12e before 6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4
affected

ed5d7788a934a4b6d6d025e948ed4da496b4f12e before d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603
affected

ed5d7788a934a4b6d6d025e948ed4da496b4f12e before 4e87a52133284afbd40fb522dbf96e258af52a98
affected

ed5d7788a934a4b6d6d025e948ed4da496b4f12e before bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca
affected

ed5d7788a934a4b6d6d025e948ed4da496b4f12e before 176c41b3ca9281a9736b67c6121b03dbf0c8c08f
affected

ed5d7788a934a4b6d6d025e948ed4da496b4f12e before 1904fb9ebf911441f90a68e96b22aa73e4410505
affected

Default status
affected

4.9
affected

Any version before 4.9
unaffected

4.19.325
unaffected

5.4.287
unaffected

5.10.231
unaffected

5.15.174
unaffected

6.1.119
unaffected

6.6.63
unaffected

6.11.10
unaffected

6.12
unaffected

References

git.kernel.org/...c/114a61d8d94ae3a43b82446cf737fd757021b834

git.kernel.org/...c/598c956b62699c3753929602560d8df322e60559

git.kernel.org/...c/6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4

git.kernel.org/...c/d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603

git.kernel.org/...c/4e87a52133284afbd40fb522dbf96e258af52a98

git.kernel.org/...c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca

git.kernel.org/...c/176c41b3ca9281a9736b67c6121b03dbf0c8c08f

git.kernel.org/...c/1904fb9ebf911441f90a68e96b22aa73e4410505

cve.org (CVE-2024-53140)

nvd.nist.gov (CVE-2024-53140)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-53140

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.