cve-2024-40958
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:08
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: netns: Make get_net_ns() handle zero refcount net Syzkaller hit a warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0 Modules linked in: CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:refcount_warn_saturate+0xdf/0x1d0 Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1 RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001 RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139 R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4 R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040 FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0xa3/0xc0 ? __warn+0xa5/0x1c0 ? refcount_warn_saturate+0xdf/0x1d0 ? report_bug+0x1fc/0x2d0 ? refcount_warn_saturate+0xdf/0x1d0 ? handle_bug+0xa1/0x110 ? exc_invalid_op+0x3c/0xb0 ? asm_exc_invalid_op+0x1f/0x30 ? __warn_printk+0xcc/0x140 ? __warn_printk+0xd5/0x140 ? refcount_warn_saturate+0xdf/0x1d0 get_net_ns+0xa4/0xc0 ? __pfx_get_net_ns+0x10/0x10 open_related_ns+0x5a/0x130 __tun_chr_ioctl+0x1616/0x2370 ? __sanitizer_cov_trace_switch+0x58/0xa0 ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30 ? __pfx_tun_chr_ioctl+0x10/0x10 tun_chr_ioctl+0x2f/0x40 __x64_sys_ioctl+0x11b/0x160 x64_sys_call+0x1211/0x20d0 do_syscall_64+0x9e/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5b28f165d7 Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8 RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7 RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003 RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0 R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730 R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... This is trigger as below: ns0 ns1 tun_set_iff() //dev is tun0 tun->dev = dev //ip link set tun0 netns ns1 put_net() //ref is 0 __tun_chr_ioctl() //TUNGETDEVNETNS net = dev_net(tun->dev); open_related_ns(&net->ns, get_net_ns); //ns1 get_net_ns() get_net() //addition on 0 Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05efPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05efPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77bPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743bPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0Patch
Impacted products
Vendor Product Version
Linux Linux Version: 5.2
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:39:55.927Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-40958",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:03:35.616951Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:23.921Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/net_namespace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3a6cd326ead7c8bb1f64486789a01974a9f1ad55",
              "status": "affected",
              "version": "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f",
              "versionType": "git"
            },
            {
              "lessThan": "2b82028a1f5ee3a8e04090776b10c534144ae77b",
              "status": "affected",
              "version": "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f",
              "versionType": "git"
            },
            {
              "lessThan": "cb7f811f638a14590ff98f53c6dd1fb54627d940",
              "status": "affected",
              "version": "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f",
              "versionType": "git"
            },
            {
              "lessThan": "1b631bffcb2c09551888f3c723f4365c91fe05ef",
              "status": "affected",
              "version": "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f",
              "versionType": "git"
            },
            {
              "lessThan": "ef0394ca25953ea0eddcc82feae1f750451f1876",
              "status": "affected",
              "version": "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f",
              "versionType": "git"
            },
            {
              "lessThan": "3af28df0d883e8c89a29ac31bc65f9023485743b",
              "status": "affected",
              "version": "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f",
              "versionType": "git"
            },
            {
              "lessThan": "ff960f9d3edbe08a736b5a224d91a305ccc946b0",
              "status": "affected",
              "version": "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/net_namespace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.279",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.221",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.96",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetns: Make get_net_ns() handle zero refcount net\n\nSyzkaller hit a warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0\nModules linked in:\nCPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xdf/0x1d0\nCode: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 \u003c0f\u003e 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1\nRSP: 0018:ffff8881067b7da0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac\nRDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001\nRBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139\nR10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4\nR13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040\nFS:  00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? show_regs+0xa3/0xc0\n ? __warn+0xa5/0x1c0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? report_bug+0x1fc/0x2d0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? handle_bug+0xa1/0x110\n ? exc_invalid_op+0x3c/0xb0\n ? asm_exc_invalid_op+0x1f/0x30\n ? __warn_printk+0xcc/0x140\n ? __warn_printk+0xd5/0x140\n ? refcount_warn_saturate+0xdf/0x1d0\n get_net_ns+0xa4/0xc0\n ? __pfx_get_net_ns+0x10/0x10\n open_related_ns+0x5a/0x130\n __tun_chr_ioctl+0x1616/0x2370\n ? __sanitizer_cov_trace_switch+0x58/0xa0\n ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30\n ? __pfx_tun_chr_ioctl+0x10/0x10\n tun_chr_ioctl+0x2f/0x40\n __x64_sys_ioctl+0x11b/0x160\n x64_sys_call+0x1211/0x20d0\n do_syscall_64+0x9e/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5b28f165d7\nCode: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8\nRSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7\nRDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003\nRBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0\nR10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730\nR13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\nKernel panic - not syncing: kernel: panic_on_warn set ...\n\nThis is trigger as below:\n          ns0                                    ns1\ntun_set_iff() //dev is tun0\n   tun-\u003edev = dev\n//ip link set tun0 netns ns1\n                                       put_net() //ref is 0\n__tun_chr_ioctl() //TUNGETDEVNETNS\n   net = dev_net(tun-\u003edev);\n   open_related_ns(\u0026net-\u003ens, get_net_ns); //ns1\n     get_net_ns()\n        get_net() //addition on 0\n\nUse maybe_get_net() in get_net_ns in case net\u0027s ref is zero to fix this"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T09:08:56.586Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876"
        },
        {
          "url": "https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0"
        }
      ],
      "title": "netns: Make get_net_ns() handle zero refcount net",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-40958",
    "datePublished": "2024-07-12T12:32:00.431Z",
    "dateReserved": "2024-07-12T12:17:45.593Z",
    "dateUpdated": "2024-12-19T09:08:56.586Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-40958\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-07-12T13:15:17.883\",\"lastModified\":\"2024-11-21T09:31:56.947\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetns: Make get_net_ns() handle zero refcount net\\n\\nSyzkaller hit a warning:\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0\\nModules linked in:\\nCPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nRIP: 0010:refcount_warn_saturate+0xdf/0x1d0\\nCode: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 \u003c0f\u003e 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1\\nRSP: 0018:ffff8881067b7da0 EFLAGS: 00010286\\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac\\nRDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001\\nRBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139\\nR10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4\\nR13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040\\nFS:  00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000\\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \u003cTASK\u003e\\n ? show_regs+0xa3/0xc0\\n ? __warn+0xa5/0x1c0\\n ? refcount_warn_saturate+0xdf/0x1d0\\n ? report_bug+0x1fc/0x2d0\\n ? refcount_warn_saturate+0xdf/0x1d0\\n ? handle_bug+0xa1/0x110\\n ? exc_invalid_op+0x3c/0xb0\\n ? asm_exc_invalid_op+0x1f/0x30\\n ? __warn_printk+0xcc/0x140\\n ? __warn_printk+0xd5/0x140\\n ? refcount_warn_saturate+0xdf/0x1d0\\n get_net_ns+0xa4/0xc0\\n ? __pfx_get_net_ns+0x10/0x10\\n open_related_ns+0x5a/0x130\\n __tun_chr_ioctl+0x1616/0x2370\\n ? __sanitizer_cov_trace_switch+0x58/0xa0\\n ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30\\n ? __pfx_tun_chr_ioctl+0x10/0x10\\n tun_chr_ioctl+0x2f/0x40\\n __x64_sys_ioctl+0x11b/0x160\\n x64_sys_call+0x1211/0x20d0\\n do_syscall_64+0x9e/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7f5b28f165d7\\nCode: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8\\nRSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7\\nRDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003\\nRBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0\\nR10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730\\nR13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000\\n \u003c/TASK\u003e\\nKernel panic - not syncing: kernel: panic_on_warn set ...\\n\\nThis is trigger as below:\\n          ns0                                    ns1\\ntun_set_iff() //dev is tun0\\n   tun-\u003edev = dev\\n//ip link set tun0 netns ns1\\n                                       put_net() //ref is 0\\n__tun_chr_ioctl() //TUNGETDEVNETNS\\n   net = dev_net(tun-\u003edev);\\n   open_related_ns(\u0026net-\u003ens, get_net_ns); //ns1\\n     get_net_ns()\\n        get_net() //addition on 0\\n\\nUse maybe_get_net() in get_net_ns in case net\u0027s ref is zero to fix this\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netns: haga que get_net_ns() maneje cero refcount net. Syzkaller recibi\u00f3 una advertencia: refcount_t: adici\u00f3n en 0; use-after-free. ADVERTENCIA: CPU: 3 PID: 7890 en lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0 M\u00f3dulos vinculados en: CPU: 3 PID: 7890 Comm: tun No contaminado 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310 Hardware nombre: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 01/04/2014 RIP: 0010:refcount_warn_saturate+0xdf/0x1d0 C\u00f3digo: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 \u0026lt;0f\u0026gt; 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1 RSP: 0018: ffff8881067b7da0 EFLAGS: 00010286 RAX: 00000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001 RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139 R10: 00000000000000000 R11: 205d303938375420 R12: 8881086500c4 R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040 FS : 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fd18 CR3: 00000001482f6000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas: ? show_regs+0xa3/0xc0? __advertir+0xa5/0x1c0 ? refcount_warn_saturate+0xdf/0x1d0? report_bug+0x1fc/0x2d0? refcount_warn_saturate+0xdf/0x1d0? handle_bug+0xa1/0x110? exc_invalid_op+0x3c/0xb0? asm_exc_invalid_op+0x1f/0x30? __warn_printk+0xcc/0x140 ? __warn_printk+0xd5/0x140 ? refcount_warn_saturate+0xdf/0x1d0 get_net_ns+0xa4/0xc0 ? __pfx_get_net_ns+0x10/0x10 open_ related_ns+0x5a/0x130 __tun_chr_ioctl+0x1616/0x2370 ? __sanitizer_cov_trace_switch+0x58/0xa0? __sanitizer_cov_trace_const_cmp2+0x1c/0x30 ? __pfx_tun_chr_ioctl+0x10/0x10 tun_chr_ioctl+0x2f/0x40 __x64_sys_ioctl+0x11b/0x160 x64_sys_call+0x1211/0x20d0 do_syscall_64+0x9e/0x1d0 Entry_SYSCALL_64_after_h wframe+0x77/0x7f RIP: 0033:0x7f5b28f165d7 C\u00f3digo: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff 73 01 c3 48 8b 0d 81 48 2d 0 8 RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7 RDX: 000000000 RSI: 00000000000054e3 RDI: 0000000000000003 RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0 R10: 690010 R11: 0000000000000246 R12: 0000000000400730 R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 00000000000000000  P\u00e1nico del kernel - no sincronizado: kernel: p\u00e1nico_on_warn set ... Esto se activa como se muestra a continuaci\u00f3n: ns0 ns1 tun_set_iff() //dev is tun0 tun-\u0026gt;dev = dev //ip link set tun0 netns ns1 put_net() //ref es 0 __tun_chr_ioctl() //TUNGETDEVNETNS net = dev_net(tun-\u0026gt;dev); open_ related_ns(\u0026amp;net-\u0026gt;ns, get_net_ns); //ns1 get_net_ns() get_net() //adici\u00f3n en 0 Use may_get_net() en get_net_ns en caso de que la referencia de red sea cero para solucionar este problema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.2\",\"versionEndExcluding\":\"5.4.279\",\"matchCriteriaId\":\"5A16AF13-82B4-4031-88E2-F3A1AE0863D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.221\",\"matchCriteriaId\":\"659E1520-6345-41AF-B893-A7C0647585A0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.162\",\"matchCriteriaId\":\"10A39ACC-3005-40E8-875C-98A372D1FFD5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.96\",\"matchCriteriaId\":\"61E887B4-732A-40D2-9983-CC6F281EBFB7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.36\",\"matchCriteriaId\":\"E1046C95-860A-45B0-B718-2B29F65BFF10\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.9.7\",\"matchCriteriaId\":\"0A047AF2-94AC-4A3A-B32D-6AB930D8EF1C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"2EBB4392-5FA6-4DA9-9772-8F9C750109FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"331C2F14-12C7-45D5-893D-8C52EE38EA10\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3173713D-909A-4DD3-9DD4-1E171EB057EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"79F18AFA-40F7-43F0-BA30-7BDB65F918B9\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.