CVE-2024-26898

aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts

This patch is against CVE-2023-6270. The description of cve is:

A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
`struct net_device`, and a use-after-free can be triggered by racing
between the free on the struct and the access through the `skbtxq`
global queue. This could lead to a denial of service condition or
potential code execution.

In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
code is finished. But the net_device ifp will still be used in
later tx()->dev_queue_xmit() in kthread. Which means that the
dev_put(ifp) should NOT be called in the success path of skb
initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
use-after-free because the net_device is freed.

This patch removed the dev_put(ifp) in the success path in
aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: aoe: soluciona el posible problema de use-after-free en aoecmd_cfg_pkts. Este parche es contra CVE-2023-6270. La descripción de cve es: Se encontró una falla en el controlador ATA sobre Ethernet (AoE) en el kernel de Linux. La función aoecmd_cfg_pkts() actualiza incorrectamente el refcnt en `struct net_device`, y se puede activar un use-after-free corriendo entre lo libre en la estructura y el acceso a través de la cola global `skbtxq`. Esto podría provocar una condición de denegación de servicio o una posible ejecución de código. En aoecmd_cfg_pkts(), siempre llama a dev_put(ifp) cuando finaliza el código inicial de skb. Pero el ifp net_device todavía se usará en tx()->dev_queue_xmit() posterior en kthread. Lo que significa que NO se debe llamar a dev_put(ifp) en la ruta exitosa del código inicial de skb en aoecmd_cfg_pkts(). De lo contrario, tx() puede ejecutar use-after-free porque el net_device está liberado. Este parche eliminó dev_put(ifp) en la ruta de éxito en aoecmd_cfg_pkts() y agregó dev_put() después de skb xmit en tx().

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-17 CVE Published
2024-04-30 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/7562f876cd93800f2f8c89445f2a563590b24e09	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/ad80c34944d7175fa1f5c7a55066020002921a99	2024-03-26
https://git.kernel.org/stable/c/1a54aa506b3b2f31496731039e49778f54eee881	2024-03-26
https://git.kernel.org/stable/c/faf0b4c5e00bb680e8e43ac936df24d3f48c8e65	2024-03-26
https://git.kernel.org/stable/c/7dd09fa80b0765ce68bfae92f4e2f395ccf0fba4	2024-03-26
https://git.kernel.org/stable/c/74ca3ef68d2f449bc848c0a814cefc487bf755fa	2024-03-26
https://git.kernel.org/stable/c/eb48680b0255a9e8a9bdc93d6a55b11c31262e62	2024-03-26
https://git.kernel.org/stable/c/079cba4f4e307c69878226fdf5228c20aa1c969c	2024-03-26
https://git.kernel.org/stable/c/a16fbb80064634b254520a46395e36b87ca4731e	2024-03-26
https://git.kernel.org/stable/c/f98364e926626c678fb4b9004b75cacf92ff0662	2024-03-06

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.22 < 4.19.311 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 4.19.311"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.22 < 5.4.273 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 5.4.273"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.22 < 5.10.214 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 5.10.214"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.22 < 5.15.153 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 5.15.153"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.22 < 6.1.83 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 6.1.83"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.22 < 6.6.23 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 6.6.23"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.22 < 6.7.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 6.7.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.22 < 6.8.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 6.8.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.22 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.22 < 6.9"		en		Affected