CVE-2024-35899
- Source
- https://cve.org/CVERecord?id=CVE-2024-35899
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35899.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-35899
- Downstream
- Related
- Published
- 2024-05-19T08:34:53.267Z
- Modified
- 2026-03-23T05:06:41.296937984Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
- Summary
- netfilter: nf_tables: flush pending destroy work before exit_net release
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nftables: flush pending destroy work before exitnet release
Similar to 2c9f0293280e ("netfilter: nftables: flush pending destroy work before netlink notifier") to address a race between exitnet and the destroy workqueue.
The trace below shows an element to be released via destroy workqueue while exit_net path (triggered via module removal) has already released the set that is used in such transaction.
[ 1360.547789] BUG: KASAN: slab-use-after-free in nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465 [ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359 [ 1360.547882] Workqueue: events nftablestransdestroywork [nftables] [ 1360.547984] Call Trace: [ 1360.547991] <TASK> [ 1360.547998] dumpstacklvl+0x53/0x70 [ 1360.548014] print_report+0xc4/0x610 [ 1360.548026] ? __virtaddrvalid+0xba/0x160 [ 1360.548040] ? pfxrawspinlockirqsave+0x10/0x10 [ 1360.548054] ? nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.548176] kasanreport+0xae/0xe0 [ 1360.548189] ? nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.548312] nftablestransdestroywork+0x3f5/0x590 [nf_tables] [ 1360.548447] ? __pfxnftablestransdestroywork+0x10/0x10 [nftables] [ 1360.548577] ? rawspinunlockirq+0x18/0x30 [ 1360.548591] processonework+0x2f1/0x670 [ 1360.548610] worker_thread+0x4d3/0x760 [ 1360.548627] ? __pfxworkerthread+0x10/0x10 [ 1360.548640] kthread+0x16b/0x1b0 [ 1360.548653] ? __pfxkthread+0x10/0x10 [ 1360.548665] retfrom_fork+0x2f/0x50 [ 1360.548679] ? __pfxkthread+0x10/0x10 [ 1360.548690] retfromforkasm+0x1a/0x30 [ 1360.548707] </TASK>
[ 1360.548719] Allocated by task 192061: [ 1360.548726] kasansavestack+0x20/0x40 [ 1360.548739] kasansavetrack+0x14/0x30 [ 1360.548750] __kasan_kmalloc+0x8f/0xa0 [ 1360.548760] __kmallocnode+0x1f1/0x450 [ 1360.548771] nftablesnewset+0x10c7/0x1b50 [nftables] [ 1360.548883] nfnetlink_rcvbatch+0xbc4/0xdc0 [nfnetlink] [ 1360.548909] nfnetlinkrcv+0x1a8/0x1e0 [nfnetlink] [ 1360.548927] netlinkunicast+0x367/0x4f0 [ 1360.548935] netlinksendmsg+0x34b/0x610 [ 1360.548944] ____sys_sendmsg+0x4d4/0x510 [ 1360.548953] ___sys_sendmsg+0xc9/0x120 [ 1360.548961] _syssendmsg+0xbe/0x140 [ 1360.548971] dosyscall64+0x55/0x120 [ 1360.548982] entrySYSCALL64afterhwframe+0x55/0x5d
[ 1360.548994] Freed by task 192222: [ 1360.548999] kasansavestack+0x20/0x40 [ 1360.549009] kasansavetrack+0x14/0x30 [ 1360.549019] kasansavefreeinfo+0x3b/0x60 [ 1360.549028] poisonslab_object+0x100/0x180 [ 1360.549036] __kasanslabfree+0x14/0x30 [ 1360.549042] kfree+0xb6/0x260 [ 1360.549049] __nftreleasetable+0x473/0x6a0 [nftables] [ 1360.549131] nftables_exitnet+0x170/0x240 [nftables] [ 1360.549221] opsexitlist+0x50/0xa0 [ 1360.549229] freeexitlist+0x101/0x140 [ 1360.549236] unregisterpernetoperations+0x107/0x160 [ 1360.549245] unregisterpernetsubsys+0x1c/0x30 [ 1360.549254] nftablesmoduleexit+0x43/0x80 [nftables] [ 1360.549345] _dosysdeletemodule+0x253/0x370 [ 1360.549352] dosyscall64+0x55/0x120 [ 1360.549360] entrySYSCALL64afterhwframe+0x55/0x5d
(gdb) list *__nftreleasetable+0x473 0x1e033 is in _nftreleasetable (net/netfilter/nftablesapi.c:11354). 11349 listforeachentrysafe(flowtable, nf, &table->flowtables, list) { 11350 listdel(&flowtable->list); 11351 nftusedec(&table->use); 11352 nftablesflowtabledestroy(flowtable); 11353 } 11354 listforeachentrysafe(set, ns, &table->sets, list) { 11355 listdel(&set->list); 11356 nftusedec(&table->use); 11357 if (set->flags & (NFTSETMAP | NFTSETOBJECT)) 11358 nftmapdeactivat ---truncated---
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35899.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/24cea9677025e0de419989ecb692acd4bb34cac2
- https://git.kernel.org/stable/c/333b5085522cf1898d5a0d92616046b414f631a7
- https://git.kernel.org/stable/c/46c4481938e2ca62343b16ea83ab28f4c1733d31
- https://git.kernel.org/stable/c/4e8447a9a3d367b5065a0b7abe101da6e0037b6e
- https://git.kernel.org/stable/c/d2c9eb19fc3b11caebafde4c30a76a49203d18a6
- https://git.kernel.org/stable/c/f4e14695fe805eb0f0cb36e0ad6a560b9f985e86
- https://git.kernel.org/stable/c/f7e3c88cc2a977c2b9a8aa52c1ce689e7b394e49
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35899.json
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-35899
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0935d558840099b3679c67bb7468dc78fcbad940Fixedf4e14695fe805eb0f0cb36e0ad6a560b9f985e86Fixed46c4481938e2ca62343b16ea83ab28f4c1733d31Fixedf7e3c88cc2a977c2b9a8aa52c1ce689e7b394e49Fixed4e8447a9a3d367b5065a0b7abe101da6e0037b6eFixed333b5085522cf1898d5a0d92616046b414f631a7Fixedd2c9eb19fc3b11caebafde4c30a76a49203d18a6Fixed24cea9677025e0de419989ecb692acd4bb34cac2