| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024120453-CVE-2024-53140-6ecf@gregkh> Date: Wed, 4 Dec 2024 15:21:03 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-53140: netlink: terminate outstanding dump on socket close Description =========== In the Linux kernel, the following vulnerability has been resolved: netlink: terminate outstanding dump on socket close Netlink supports iterative dumping of data. It provides the families the following ops: - start - (optional) kicks off the dumping process - dump - actual dump helper, keeps getting called until it returns 0 - done - (optional) pairs with .start, can be used for cleanup The whole process is asynchronous and the repeated calls to .dump don't actually happen in a tight loop, but rather are triggered in response to recvmsg() on the socket. This gives the user full control over the dump, but also means that the user can close the socket without getting to the end of the dump. To make sure .start is always paired with .done we check if there is an ongoing dump before freeing the socket, and if so call .done. The complication is that sockets can get freed from BH and .done is allowed to sleep. So we use a workqueue to defer the call, when needed. Unfortunately this does not work correctly. What we defer is not the cleanup but rather releasing a reference on the socket. We have no guarantee that we own the last reference, if someone else holds the socket they may release it in BH and we're back to square one. The whole dance, however, appears to be unnecessary. Only the user can interact with dumps, so we can clean up when socket is closed. And close always happens in process context. Some async code may still access the socket after close, queue notification skbs to it etc. but no dumps can start, end or otherwise make progress. Delete the workqueue and flush the dump state directly from the release handler. Note that further cleanup is possible in -next, for instance we now always call .done before releasing the main module reference, so dump doesn't have to take a reference of its own. The Linux kernel CVE team has assigned CVE-2024-53140 to this issue. Affected and fixed versions =========================== Issue introduced in 4.9 with commit ed5d7788a934 and fixed in 6.1.119 with commit 4e87a5213328 Issue introduced in 4.9 with commit ed5d7788a934 and fixed in 6.6.63 with commit bbc769d2fa1b Issue introduced in 4.9 with commit ed5d7788a934 and fixed in 6.11.10 with commit 176c41b3ca92 Issue introduced in 4.9 with commit ed5d7788a934 and fixed in 6.12 with commit 1904fb9ebf91 Issue introduced in 4.4.38 with commit baaf0c65bc8e Issue introduced in 4.8.14 with commit 25d9b4bb64ea Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-53140 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/netlink/af_netlink.c net/netlink/af_netlink.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258af52a98 https://git.kernel.org/stable/c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca https://git.kernel.org/stable/c/176c41b3ca9281a9736b67c6121b03dbf0c8c08f https://git.kernel.org/stable/c/1904fb9ebf911441f90a68e96b22aa73e4410505
Powered by blists - more mailing lists