CVE-2024-50261
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-50261
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50261.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-50261
- Related
- Published
- 2024-11-09T11:15:11Z
- Modified
- 2024-11-24T17:49:45.002182Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
macsec: Fix use-after-free while sending the offloading packet
KASAN reports the following UAF. The metadatadst, which is used to store the SCI value for macsec offload, is already freed by metadatadstfree() in macsecfree_netdev(), while driver still use it for sending the packet.
To fix this issue, dstrelease() is used instead to release metadatadst. So it is not freed instantly in macsecfreenetdev() if still referenced by skb.
BUG: KASAN: slab-use-after-free in mlx5exmit+0x1e8f/0x4190 [mlx5core] Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714 [...] Workqueue: mld mldifcwork Call Trace: <TASK> dumpstacklvl+0x51/0x60 printreport+0xc1/0x600 kasanreport+0xab/0xe0 mlx5exmit+0x1e8f/0x4190 [mlx5core] devhardstartxmit+0x120/0x530 schdirectxmit+0x149/0x11e0 _qdiscrun+0x3ad/0x1730 _devqueuexmit+0x1196/0x2ed0 vlandevhardstartxmit+0x32e/0x510 [8021q] devhardstartxmit+0x120/0x530 _devqueuexmit+0x14a7/0x2ed0 macsecstartxmit+0x13e9/0x2340 devhardstartxmit+0x120/0x530 _devqueuexmit+0x14a7/0x2ed0 ip6finishoutput2+0x923/0x1a70 ip6finishoutput+0x2d7/0x970 ip6output+0x1ce/0x3a0 NFHOOK.constprop.0+0x15f/0x190 mldsendpack+0x59a/0xbd0 mldifcwork+0x48a/0xa80 processonework+0x5aa/0xe50 workerthread+0x79c/0x1290 kthread+0x28f/0x350 retfromfork+0x2d/0x70 retfromfork_asm+0x11/0x20 </TASK>
Allocated by task 3922: kasansavestack+0x20/0x40 kasansavetrack+0x10/0x30 kasankmalloc+0x77/0x90 _kmallocnoprof+0x188/0x400 metadatadstalloc+0x1f/0x4e0 macsecnewlink+0x914/0x1410 _rtnlnewlink+0xe08/0x15b0 rtnlnewlink+0x5f/0x90 rtnetlinkrcvmsg+0x667/0xa80 netlinkrcvskb+0x12c/0x360 netlinkunicast+0x551/0x770 netlinksendmsg+0x72d/0xbd0 _socksendmsg+0xc5/0x190 _syssendmsg+0x52e/0x6a0 _syssendmsg+0xeb/0x170 _syssendmsg+0xb5/0x140 dosyscall64+0x4c/0x100 entrySYSCALL64afterhwframe+0x4b/0x53
Freed by task 4011: kasansavestack+0x20/0x40 kasansavetrack+0x10/0x30 kasansavefreeinfo+0x37/0x50 poisonslabobject+0x10c/0x190 kasanslabfree+0x11/0x30 kfree+0xe0/0x290 macsecfreenetdev+0x3f/0x140 netdevruntodo+0x450/0xc70 rtnetlinkrcvmsg+0x66f/0xa80 netlinkrcvskb+0x12c/0x360 netlinkunicast+0x551/0x770 netlinksendmsg+0x72d/0xbd0 _socksendmsg+0xc5/0x190 _syssendmsg+0x52e/0x6a0 _syssendmsg+0xeb/0x170 _syssendmsg+0xb5/0x140 dosyscall64+0x4c/0x100 entrySYSCALL64afterhwframe+0x4b/0x53
- References
-
- https://git.kernel.org/stable/c/4614640f1d5c93c22272117dc256e9940ccac8e8
- https://git.kernel.org/stable/c/872932cf75cf859804370a265dd58118129386fa
- https://git.kernel.org/stable/c/9f5ae743dbe9a2458540a7d35fff0f990df025cf
- https://git.kernel.org/stable/c/f1e54d11b210b53d418ff1476c6b58a2f434dfc0
- https://security-tracker.debian.org/tracker/CVE-2024-50261
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.119-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.11.7-1