CVE-2024-50036
net: do not delay dst_entries_add() in dst_release()
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
net: do not delay dst_entries_add() in dst_release()
In the Linux kernel, the following vulnerability has been resolved: net: do not delay dst_entries_add() in dst_release() dst_entries_add() uses per-cpu data that might be freed at netns dismantle from ip6_route_net_exit() calling dst_entries_destroy() Before ip6_route_net_exit() can be called, we release all the dsts associated with this netns, via calls to dst_release(), which waits an rcu grace period before calling dst_destroy() dst_entries_add() use in dst_destroy() is racy, because dst_entries_destroy() could have been called already. Decrementing the number of dsts must happen sooner. Notes: 1) in CONFIG_XFRM case, dst_destroy() can call dst_release_immediate(child), this might also cause UAF if the child does not have DST_NOCOUNT set. IPSEC maintainers might take a look and see how to address this. 2) There is also discussion about removing this count of dst, which might happen in future kernels.
Reserved 2024-10-21 | Published 2024-10-21 | Updated 2025-05-04 | Assigner Linuxgit.kernel.org/...c/547087307bc19417b4f2bc85ba9664a3e8db5a6a
git.kernel.org/...c/e3915f028b1f1c37e87542e5aadd33728c259d96
git.kernel.org/...c/a60db84f772fc3a906c6c4072f9207579c41166f
git.kernel.org/...c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd
git.kernel.org/...c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc
git.kernel.org/...c/ac888d58869bb99753e7652be19a151df9ecb35d
Support options
