Bug 2320467 (CVE-2024-49940) - CVE-2024-49940 kernel: l2tp: prevent possible tunnel refcount underflow
Summary: CVE-2024-49940 kernel: l2tp: prevent possible tunnel refcount underflow
Keywords:
Status: NEW
Alias: CVE-2024-49940
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2320803
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-10-21 19:03 UTC by OSIDB Bzimport
Modified: 2024-10-21 23:20 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-10-21 19:03:56 UTC 
In the Linux kernel, the following vulnerability has been resolved:

l2tp: prevent possible tunnel refcount underflow

When a session is created, it sets a backpointer to its tunnel. When
the session refcount drops to 0, l2tp_session_free drops the tunnel
refcount if session->tunnel is non-NULL. However, session->tunnel is
set in l2tp_session_create, before the tunnel refcount is incremented
by l2tp_session_register, which leaves a small window where
session->tunnel is non-NULL when the tunnel refcount hasn't been
bumped.

Moving the assignment to l2tp_session_register is trivial but
l2tp_session_create calls l2tp_session_set_header_len which uses
session->tunnel to get the tunnel's encap. Add an encap arg to
l2tp_session_set_header_len to avoid using session->tunnel.

If l2tpv3 sessions have colliding IDs, it is possible for
l2tp_v3_session_get to race with l2tp_session_register and fetch a
session which doesn't yet have session->tunnel set. Add a check for
this case.
Comment 1 Robb Gatica 2024-10-21 22:22:24 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024102127-CVE-2024-49940-1c88@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.