Release Date: | 2024-09-27 |
In the Linux kernel, the following vulnerability has been resolved:\nmptcp: pm: Fix uaf in __timer_delete_sync\nThere are two paths to access mptcp_pm_del_add_timer, result in a race\ncondition:\nCPU1CPU2\n==== ====\nnet_rx_action\nnapi_poll netlink_sendmsg\n__napi_poll netlink_unicast\nprocess_backlog netlink_unicast_kernel\n__netif_receive_skb genl_rcv\n__netif_receive_skb_one_core netlink_rcv_skb\nNF_HOOK genl_rcv_msg\nip_local_deliver_finish genl_family_rcv_msg\nip_protocol_deliver_rcu genl_family_rcv_msg_doit\ntcp_v4_rcv mptcp_pm_nl_flush_addrs_doit\ntcp_v4_do_rcv mptcp_nl_remove_addrs_list\ntcp_rcv_established mptcp_pm_remove_addrs_and_subflows\ntcp_data_queue remove_anno_list_by_saddr\nmptcp_incoming_options mptcp_pm_del_add_timer\nmptcp_pm_del_add_timer kfree(entry)\nIn remove_anno_list_by_saddr(running on CPU2), after leaving the critical\nzone protected by 'pm.lock', the entry will be released, which leads to the\noccurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).\nKeeping a reference to add_timer inside the lock, and calling\nsk_stop_timer_sync() with this reference, instead of 'entry->add_timer'.\nMove list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock,\ndo not directly access any members of the entry outside the pm lock, which\ncan avoid similar 'entry->x' uaf.
See more information about CVE-2024-46858 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
Base Score: | 7.0 |
Vector String: | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Version: | 3.1 |
Attack Vector: | Local |
Attack Complexity: | High |
Privileges Required: | Low |
User Interaction: | None |
Scope: | Unchanged |
Confidentiality: | High |
Integrity: | High |
Availability: | High |
Platform | Errata | Release Date |
Oracle Linux version 8 (kernel) | ELSA-2024-10281 | 2024-11-26 |
Oracle Linux version 8 (kernel-uek) | ELSA-2024-12887 | 2024-12-18 |
Oracle Linux version 9 (kernel) | ELSA-2024-9605 | 2024-11-19 |
Oracle Linux version 9 (kernel-uek) | ELSA-2024-12887 | 2024-12-18 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections: