CVE-2024-46858

CVE Details

Release Date:2024-09-27

Description


In the Linux kernel, the following vulnerability has been resolved:\nmptcp: pm: Fix uaf in __timer_delete_sync\nThere are two paths to access mptcp_pm_del_add_timer, result in a race\ncondition:\nCPU1CPU2\n==== ====\nnet_rx_action\nnapi_poll netlink_sendmsg\n__napi_poll netlink_unicast\nprocess_backlog netlink_unicast_kernel\n__netif_receive_skb genl_rcv\n__netif_receive_skb_one_core netlink_rcv_skb\nNF_HOOK genl_rcv_msg\nip_local_deliver_finish genl_family_rcv_msg\nip_protocol_deliver_rcu genl_family_rcv_msg_doit\ntcp_v4_rcv mptcp_pm_nl_flush_addrs_doit\ntcp_v4_do_rcv mptcp_nl_remove_addrs_list\ntcp_rcv_established mptcp_pm_remove_addrs_and_subflows\ntcp_data_queue remove_anno_list_by_saddr\nmptcp_incoming_options mptcp_pm_del_add_timer\nmptcp_pm_del_add_timer kfree(entry)\nIn remove_anno_list_by_saddr(running on CPU2), after leaving the critical\nzone protected by 'pm.lock', the entry will be released, which leads to the\noccurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).\nKeeping a reference to add_timer inside the lock, and calling\nsk_stop_timer_sync() with this reference, instead of 'entry->add_timer'.\nMove list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock,\ndo not directly access any members of the entry outside the pm lock, which\ncan avoid similar 'entry->x' uaf.

See more information about CVE-2024-46858 from MITRE CVE dictionary and NIST NVD


NOTE: The following CVSS metrics and score provided are preliminary and subject to review.


CVSS v3 metrics

Base Score: 7.0
Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Attack Vector: Local
Attack Complexity: High
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

Errata information


PlatformErrataRelease Date
Oracle Linux version 8 (kernel)ELSA-2024-102812024-11-26
Oracle Linux version 8 (kernel-uek)ELSA-2024-128872024-12-18
Oracle Linux version 9 (kernel)ELSA-2024-96052024-11-19
Oracle Linux version 9 (kernel-uek)ELSA-2024-128872024-12-18


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete