CVE-2024-39503

netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type

Lion Ackermann reported that there is a race condition between namespace cleanup
in ipset and the garbage collection of the list:set type. The namespace
cleanup can destroy the list:set type of sets while the gc of the set type is
waiting to run in rcu cleanup. The latter uses data from the destroyed set which
thus leads use after free. The patch contains the following parts:

- When destroying all sets, first remove the garbage collectors, then wait
if needed and then destroy the sets.
- Fix the badly ordered "wait then remove gc" for the destroy a single set
case.
- Fix the missing rcu locking in the list:set type in the userspace test
case.
- Use proper RCU list handlings in the list:set type.

The patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-25 CVE Reserved
2024-07-12 CVE Published
2024-07-13 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (14)

URL	Tag	Source
https://git.kernel.org/stable/c/c7f2733e5011bfd136f1ca93497394d43aa76225	Vuln. Introduced
https://git.kernel.org/stable/c/a24d5f2ac8ef702a58e55ec276aad29b4bd97e05	Vuln. Introduced
https://git.kernel.org/stable/c/c2dc077d8f722a1c73a24e674f925602ee5ece49	Vuln. Introduced
https://git.kernel.org/stable/c/653bc5e6d9995d7d5f497c665b321875a626161c	Vuln. Introduced
https://git.kernel.org/stable/c/b93a6756a01f4fd2f329a39216f9824c56a66397	Vuln. Introduced
https://git.kernel.org/stable/c/97f7cf1cd80eeed3b7c808b7c12463295c751001	Vuln. Introduced
https://git.kernel.org/stable/c/970709a67696b100a57b33af1a3d75fc34b747eb	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3	2024-07-05
https://git.kernel.org/stable/c/93b53c202b51a69e42ca57f5a183f7e008e19f83	2024-07-05
https://git.kernel.org/stable/c/0f1bb77c6d837c9513943bc7c08f04c5cc5c6568	2024-07-05
https://git.kernel.org/stable/c/390b353d1a1da3e9c6c0fd14fe650d69063c95d6	2024-06-21
https://git.kernel.org/stable/c/2ba35b37f780c6410bb4bba9c3072596d8576702	2024-06-21
https://git.kernel.org/stable/c/90ae20d47de602198eb69e6cd7a3db3420abfc08	2024-06-21
https://git.kernel.org/stable/c/4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10	2024-06-11

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.269 < 5.4.279 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.269 < 5.4.279"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.210 < 5.10.221 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.210 < 5.10.221"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.149 < 5.15.162 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.149 < 5.15.162"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.79 < 6.1.95 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.79 < 6.1.95"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.18 < 6.6.35 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.18 < 6.6.35"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8 < 6.9.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.9.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.7.6 Search vendor "Linux" for product "Linux Kernel" and version "6.7.6"		en		Affected