Bug 2320622 (CVE-2024-50036) - CVE-2024-50036 kernel: net: do not delay dst_entries_add() in dst_release()
Summary: CVE-2024-50036 kernel: net: do not delay dst_entries_add() in dst_release()
Keywords:
Status: NEW
Alias: CVE-2024-50036
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2320896
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-10-21 20:04 UTC by OSIDB Bzimport
Modified: 2024-10-22 13:14 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-10-21 20:04:10 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: do not delay dst_entries_add() in dst_release()

dst_entries_add() uses per-cpu data that might be freed at netns
dismantle from ip6_route_net_exit() calling dst_entries_destroy()

Before ip6_route_net_exit() can be called, we release all
the dsts associated with this netns, via calls to dst_release(),
which waits an rcu grace period before calling dst_destroy()

dst_entries_add() use in dst_destroy() is racy, because
dst_entries_destroy() could have been called already.

Decrementing the number of dsts must happen sooner.

Notes:

1) in CONFIG_XFRM case, dst_destroy() can call
   dst_release_immediate(child), this might also cause UAF
   if the child does not have DST_NOCOUNT set.
   IPSEC maintainers might take a look and see how to address this.

2) There is also discussion about removing this count of dst,
   which might happen in future kernels.
Comment 1 Avinash Hanwate 2024-10-22 10:01:51 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024102132-CVE-2024-50036-9d91@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.