CVE-2024-35899

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-35899
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35899.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-35899
Related
Published
2024-05-19T09:15:10Z
Modified
2024-11-05T11:50:06.776952Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftables: flush pending destroy work before exitnet release

Similar to 2c9f0293280e ("netfilter: nftables: flush pending destroy work before netlink notifier") to address a race between exitnet and the destroy workqueue.

The trace below shows an element to be released via destroy workqueue while exit_net path (triggered via module removal) has already released the set that is used in such transaction.

[ 1360.547789] BUG: KASAN: slab-use-after-free in nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465 [ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359 [ 1360.547882] Workqueue: events nftablestransdestroywork [nftables] [ 1360.547984] Call Trace: [ 1360.547991] <TASK> [ 1360.547998] dumpstacklvl+0x53/0x70 [ 1360.548014] printreport+0xc4/0x610 [ 1360.548026] ? virtaddrvalid+0xba/0x160 [ 1360.548040] ? _pfxrawspinlockirqsave+0x10/0x10 [ 1360.548054] ? nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.548176] kasanreport+0xae/0xe0 [ 1360.548189] ? nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.548312] nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.548447] ? _pfxnftablestransdestroywork+0x10/0x10 [nftables] [ 1360.548577] ? rawspinunlockirq+0x18/0x30 [ 1360.548591] processonework+0x2f1/0x670 [ 1360.548610] workerthread+0x4d3/0x760 [ 1360.548627] ? _pfxworkerthread+0x10/0x10 [ 1360.548640] kthread+0x16b/0x1b0 [ 1360.548653] ? _pfxkthread+0x10/0x10 [ 1360.548665] retfromfork+0x2f/0x50 [ 1360.548679] ? _pfxkthread+0x10/0x10 [ 1360.548690] retfromfork_asm+0x1a/0x30 [ 1360.548707] </TASK>

[ 1360.548719] Allocated by task 192061: [ 1360.548726] kasansavestack+0x20/0x40 [ 1360.548739] kasansavetrack+0x14/0x30 [ 1360.548750] kasankmalloc+0x8f/0xa0 [ 1360.548760] _kmallocnode+0x1f1/0x450 [ 1360.548771] nftablesnewset+0x10c7/0x1b50 [nftables] [ 1360.548883] nfnetlinkrcvbatch+0xbc4/0xdc0 [nfnetlink] [ 1360.548909] nfnetlinkrcv+0x1a8/0x1e0 [nfnetlink] [ 1360.548927] netlinkunicast+0x367/0x4f0 [ 1360.548935] netlinksendmsg+0x34b/0x610 [ 1360.548944] _syssendmsg+0x4d4/0x510 [ 1360.548953] _syssendmsg+0xc9/0x120 [ 1360.548961] _syssendmsg+0xbe/0x140 [ 1360.548971] dosyscall64+0x55/0x120 [ 1360.548982] entrySYSCALL64afterhwframe+0x55/0x5d

[ 1360.548994] Freed by task 192222: [ 1360.548999] kasansavestack+0x20/0x40 [ 1360.549009] kasansavetrack+0x14/0x30 [ 1360.549019] kasansavefreeinfo+0x3b/0x60 [ 1360.549028] poisonslabobject+0x100/0x180 [ 1360.549036] _kasanslabfree+0x14/0x30 [ 1360.549042] kfree+0xb6/0x260 [ 1360.549049] _nftreleasetable+0x473/0x6a0 [nftables] [ 1360.549131] nftablesexitnet+0x170/0x240 [nftables] [ 1360.549221] opsexitlist+0x50/0xa0 [ 1360.549229] freeexitlist+0x101/0x140 [ 1360.549236] unregisterpernetoperations+0x107/0x160 [ 1360.549245] unregisterpernetsubsys+0x1c/0x30 [ 1360.549254] nftablesmoduleexit+0x43/0x80 [nftables] [ 1360.549345] _dosysdeletemodule+0x253/0x370 [ 1360.549352] dosyscall64+0x55/0x120 [ 1360.549360] entrySYSCALL64afterhwframe+0x55/0x5d

(gdb) list *_nftreleasetable+0x473 0x1e033 is in _nftreleasetable (net/netfilter/nftablesapi.c:11354). 11349 listforeachentrysafe(flowtable, nf, &table->flowtables, list) { 11350 listdel(&flowtable->list); 11351 nftusedec(&table->use); 11352 nftablesflowtabledestroy(flowtable); 11353 } 11354 listforeachentrysafe(set, ns, &table->sets, list) { 11355 listdel(&set->list); 11356 nftusedec(&table->use); 11357 if (set->flags & (NFTSETMAP | NFTSETOBJECT)) 11358 nftmap_deactivat ---truncated---

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.216-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1
5.10.205-1
5.10.205-2
5.10.209-1
5.10.209-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.85-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.8.9-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}