// For flags

CVE-2024-26898

aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts

This patch is against CVE-2023-6270. The description of cve is:

A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
`struct net_device`, and a use-after-free can be triggered by racing
between the free on the struct and the access through the `skbtxq`
global queue. This could lead to a denial of service condition or
potential code execution.

In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
code is finished. But the net_device ifp will still be used in
later tx()->dev_queue_xmit() in kthread. Which means that the
dev_put(ifp) should NOT be called in the success path of skb
initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
use-after-free because the net_device is freed.

This patch removed the dev_put(ifp) in the success path in
aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: aoe: soluciona el posible problema de use-after-free en aoecmd_cfg_pkts. Este parche es contra CVE-2023-6270. La descripción de cve es: Se encontró una falla en el controlador ATA sobre Ethernet (AoE) en el kernel de Linux. La función aoecmd_cfg_pkts() actualiza incorrectamente el refcnt en `struct net_device`, y se puede activar un use-after-free corriendo entre lo libre en la estructura y el acceso a través de la cola global `skbtxq`. Esto podría provocar una condición de denegación de servicio o una posible ejecución de código. En aoecmd_cfg_pkts(), siempre llama a dev_put(ifp) cuando finaliza el código inicial de skb. Pero el ifp net_device todavía se usará en tx()->dev_queue_xmit() posterior en kthread. Lo que significa que NO se debe llamar a dev_put(ifp) en la ruta exitosa del código inicial de skb en aoecmd_cfg_pkts(). De lo contrario, tx() puede ejecutar use-after-free porque el net_device está liberado. Este parche eliminó dev_put(ifp) en la ruta de éxito en aoecmd_cfg_pkts() y agregó dev_put() después de skb xmit en tx().

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-02-19 CVE Reserved
  • 2024-04-17 CVE Published
  • 2024-04-30 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-416: Use After Free
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 2.6.22 < 4.19.311
Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 4.19.311"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 2.6.22 < 5.4.273
Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 5.4.273"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 2.6.22 < 5.10.214
Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 5.10.214"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 2.6.22 < 5.15.153
Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 5.15.153"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 2.6.22 < 6.1.83
Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 6.1.83"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 2.6.22 < 6.6.23
Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 6.6.23"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 2.6.22 < 6.7.11
Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 6.7.11"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 2.6.22 < 6.8.2
Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 6.8.2"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 2.6.22 < 6.9
Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 6.9"
en
Affected