// For flags

CVE-2024-50130

netfilter: bpf: must hold reference on net namespace

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

netfilter: bpf: must hold reference on net namespace

BUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0
Read of size 8 at addr ffff8880106fe400 by task repro/72=
bpf_nf_link_release+0xda/0x1e0
bpf_link_free+0x139/0x2d0
bpf_link_release+0x68/0x80
__fput+0x414/0xb60

Eric says:
It seems that bpf was able to defer the __nf_unregister_net_hook()
after exit()/close() time.
Perhaps a netns reference is missing, because the netns has been
dismantled/freed already.
bpf_nf_link_attach() does :
link->net = net;
But I do not see a reference being taken on net.

Add such a reference and release it after hook unreg.
Note that I was unable to get syzbot reproducer to work, so I
do not know if this resolves this splat.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: bpf: debe contener referencia en el espacio de nombres net ERROR: KASAN: slab-use-after-free en __nf_unregister_net_hook+0x640/0x6b0 Lectura de tamaño 8 en la dirección ffff8880106fe400 por la tarea repro/72= bpf_nf_link_release+0xda/0x1e0 bpf_link_free+0x139/0x2d0 bpf_link_release+0x68/0x80 __fput+0x414/0xb60 Eric dice: Parece que bpf pudo diferir __nf_unregister_net_hook() después del tiempo de exit()/close(). Quizás falta una referencia a netns, porque netns ya se ha desmantelado/liberado. bpf_nf_link_attach() hace: link->net = net; Pero no veo que se tome ninguna referencia en net. Agregue dicha referencia y libérela después de anular el registro. Tenga en cuenta que no pude hacer que funcionara el reproductor syzbot, por lo que no sé si esto resuelve este problema.

*Credits: N/A
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2024-10-21 CVE Reserved
  • 2024-11-05 CVE Published
  • 2024-11-05 CVE Updated
  • 2024-11-06 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.4 < 6.6.59
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.6.59"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.4 < 6.11.6
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.11.6"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.4 < 6.12-rc5
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.12-rc5"
en
Affected