// For flags

CVE-2024-26861

wireguard: receive: annotate data-race around receiving_counter.counter

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

wireguard: receive: annotate data-race around receiving_counter.counter

Syzkaller with KCSAN identified a data-race issue when accessing
keypair->receiving_counter.counter. Use READ_ONCE() and WRITE_ONCE()
annotations to mark the data race as intentional.

BUG: KCSAN: data-race in wg_packet_decrypt_worker / wg_packet_rx_poll

write to 0xffff888107765888 of 8 bytes by interrupt on cpu 0:
counter_validate drivers/net/wireguard/receive.c:321 [inline]
wg_packet_rx_poll+0x3ac/0xf00 drivers/net/wireguard/receive.c:461
__napi_poll+0x60/0x3b0 net/core/dev.c:6536
napi_poll net/core/dev.c:6605 [inline]
net_rx_action+0x32b/0x750 net/core/dev.c:6738
__do_softirq+0xc4/0x279 kernel/softirq.c:553
do_softirq+0x5e/0x90 kernel/softirq.c:454
__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]
wg_packet_decrypt_worker+0x6c5/0x700 drivers/net/wireguard/receive.c:499
process_one_work kernel/workqueue.c:2633 [inline]
...

read to 0xffff888107765888 of 8 bytes by task 3196 on cpu 1:
decrypt_packet drivers/net/wireguard/receive.c:252 [inline]
wg_packet_decrypt_worker+0x220/0x700 drivers/net/wireguard/receive.c:501
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706
worker_thread+0x525/0x730 kernel/workqueue.c:2787
...

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: wireguard: recibir: anotar carrera de datos alrededor de recibir_counter.counter Syzkaller con KCSAN identificó un problema de carrera de datos al acceder al par de claves->receiving_counter.counter. Utilice las anotaciones READ_ONCE() y WRITE_ONCE() para marcar la carrera de datos como intencional. ERROR: KCSAN: carrera de datos en wg_packet_decrypt_worker/wg_packet_rx_poll escribir en 0xffff888107765888 de 8 bytes por interrupción en la CPU 0: counter_validate drivers/net/wireguard/receive.c:321 [en línea] wg_packet_rx_poll+0x3ac/0xf00 .c:461 __napi_poll+0x60/0x3b0 net/core/dev.c:6536 napi_poll net/core/dev.c:6605 [en línea] net_rx_action+0x32b/0x750 net/core/dev.c:6738 __do_softirq+0xc4/0x279 kernel/softirq.c:553 do_softirq+0x5e/0x90 kernel/softirq.c:454 __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [en línea] _raw_spin_unlock_bh+0x36/0x 40 granos /locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [en línea] ptr_ring_consume_bh include/linux/ptr_ring.h:367 [en línea] wg_packet_decrypt_worker+0x6c5/0x700 drivers/net/wireguard/receive.c:499 Process_one_work kernel/workqueue.c:2633 [en línea] ... leído en 0xffff888107765888 de 8 bytes por tarea 3196 en la CPU 1: decrypt_packet drivers/net/wireguard/receive.c:252 [en línea] wg_packet_decrypt_worker+0x220/0x700 drivers/net /wireguard/receive.c:501 Process_one_work kernel/workqueue.c:2633 [en línea] Process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706 Workers_thread+0x525/0x730 kernel/workqueue.c:2787 ...

*Credits: N/A
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-02-19 CVE Reserved
  • 2024-04-17 CVE Published
  • 2024-04-18 EPSS Updated
  • 2024-09-11 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.7 < 5.10.214
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.10.214"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.7 < 5.15.153
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.15.153"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.7 < 6.1.83
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.1.83"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.7 < 6.6.23
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.6.23"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.7 < 6.7.11
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.7.11"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.7 < 6.8.2
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.8.2"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.7 < 6.9
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.9"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 5.6.16
Search vendor "Linux" for product "Linux Kernel" and version "5.6.16"
en
Affected