fkie_cve-2024-40942
Vulnerability from fkie_nvd
Published
2024-07-12 13:15
Modified
2024-11-21 09:31
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
The hwmp code use objects of type mesh_preq_queue, added to a list in
ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath
gets deleted, ex mesh interface is removed, the entries in that list will
never get cleaned. Fix this by flushing all corresponding items of the
preq_queue in mesh_path_flush_pending().
This should take care of KASAN reports like this:
unreferenced object 0xffff00000668d800 (size 128):
comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s)
hex dump (first 32 bytes):
00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....
8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........
backtrace:
[<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
[<00000000049bd418>] kmalloc_trace+0x34/0x80
[<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
[<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
[<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
[<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
[<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
[<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
[<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
[<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
[<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
[<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
[<00000000b36425d1>] worker_thread+0x9c/0x634
[<0000000005852dd5>] kthread+0x1bc/0x1c4
[<000000005fccd770>] ret_from_fork+0x10/0x20
unreferenced object 0xffff000009051f00 (size 128):
comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s)
hex dump (first 32 bytes):
90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....
36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....
backtrace:
[<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
[<00000000049bd418>] kmalloc_trace+0x34/0x80
[<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
[<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
[<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
[<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
[<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
[<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
[<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
[<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
[<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
[<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
[<00000000b36425d1>] worker_thread+0x9c/0x634
[<0000000005852dd5>] kthread+0x1bc/0x1c4
[<000000005fccd770>] ret_from_fork+0x10/0x20
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: mesh: Fix leak of mesh_preq_queue objects\n\nThe hwmp code use objects of type mesh_preq_queue, added to a list in\nieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath\ngets deleted, ex mesh interface is removed, the entries in that list will\nnever get cleaned. Fix this by flushing all corresponding items of the\npreq_queue in mesh_path_flush_pending().\n\nThis should take care of KASAN reports like this:\n\nunreferenced object 0xffff00000668d800 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419552 (age 1836.444s)\n hex dump (first 32 bytes):\n 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....\n 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....\u003e...........\n backtrace:\n [\u003c000000007302a0b6\u003e] __kmem_cache_alloc_node+0x1e0/0x35c\n [\u003c00000000049bd418\u003e] kmalloc_trace+0x34/0x80\n [\u003c0000000000d792bb\u003e] mesh_queue_preq+0x44/0x2a8\n [\u003c00000000c99c3696\u003e] mesh_nexthop_resolve+0x198/0x19c\n [\u003c00000000926bf598\u003e] ieee80211_xmit+0x1d0/0x1f4\n [\u003c00000000fc8c2284\u003e] __ieee80211_subif_start_xmit+0x30c/0x764\n [\u003c000000005926ee38\u003e] ieee80211_subif_start_xmit+0x9c/0x7a4\n [\u003c000000004c86e916\u003e] dev_hard_start_xmit+0x174/0x440\n [\u003c0000000023495647\u003e] __dev_queue_xmit+0xe24/0x111c\n [\u003c00000000cfe9ca78\u003e] batadv_send_skb_packet+0x180/0x1e4\n [\u003c000000007bacc5d5\u003e] batadv_v_elp_periodic_work+0x2f4/0x508\n [\u003c00000000adc3cd94\u003e] process_one_work+0x4b8/0xa1c\n [\u003c00000000b36425d1\u003e] worker_thread+0x9c/0x634\n [\u003c0000000005852dd5\u003e] kthread+0x1bc/0x1c4\n [\u003c000000005fccd770\u003e] ret_from_fork+0x10/0x20\nunreferenced object 0xffff000009051f00 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419553 (age 1836.440s)\n hex dump (first 32 bytes):\n 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....\n 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6\u0027.......Xy.....\n backtrace:\n [\u003c000000007302a0b6\u003e] __kmem_cache_alloc_node+0x1e0/0x35c\n [\u003c00000000049bd418\u003e] kmalloc_trace+0x34/0x80\n [\u003c0000000000d792bb\u003e] mesh_queue_preq+0x44/0x2a8\n [\u003c00000000c99c3696\u003e] mesh_nexthop_resolve+0x198/0x19c\n [\u003c00000000926bf598\u003e] ieee80211_xmit+0x1d0/0x1f4\n [\u003c00000000fc8c2284\u003e] __ieee80211_subif_start_xmit+0x30c/0x764\n [\u003c000000005926ee38\u003e] ieee80211_subif_start_xmit+0x9c/0x7a4\n [\u003c000000004c86e916\u003e] dev_hard_start_xmit+0x174/0x440\n [\u003c0000000023495647\u003e] __dev_queue_xmit+0xe24/0x111c\n [\u003c00000000cfe9ca78\u003e] batadv_send_skb_packet+0x180/0x1e4\n [\u003c000000007bacc5d5\u003e] batadv_v_elp_periodic_work+0x2f4/0x508\n [\u003c00000000adc3cd94\u003e] process_one_work+0x4b8/0xa1c\n [\u003c00000000b36425d1\u003e] worker_thread+0x9c/0x634\n [\u003c0000000005852dd5\u003e] kthread+0x1bc/0x1c4\n [\u003c000000005fccd770\u003e] ret_from_fork+0x10/0x20"
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: wifi: mac80211: mesh: corrige la fuga de objetos mesh_preq_queue El c\u00f3digo hwmp usa objetos de tipo mesh_preq_queue, agregados a una lista en ieee80211_if_mesh, para realizar un seguimiento del mpath que necesitamos resolver. Si se elimina mpath, se elimina la interfaz ex mesh, las entradas en esa lista nunca se limpiar\u00e1n. Solucione este problema eliminando todos los elementos correspondientes de preq_queue en mesh_path_flush_pending(). Esto deber\u00eda encargarse de informes KASAN como este: objeto sin referencia 0xffff00000668d800 (tama\u00f1o 128): comm \"kworker/u8:4\", pid 67, jiffies 4295419552 (edad 1836.444s) volcado hexadecimal (primeros 32 bytes): 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h..... 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....\u0026gt;.. ......... retroceso: [\u0026lt;000000007302a0b6\u0026gt;] __kmem_cache_alloc_node+0x1e0/0x35c [\u0026lt;00000000049bd418\u0026gt;] kmalloc_trace+0x34/0x80 [\u0026lt;0000000000d792bb\u0026gt;] 8 [\u0026lt;00000000c99c3696\u0026gt;] mesh_nexthop_resolve+0x198/ 0x19c [\u0026lt;00000000926bf598\u0026gt;] ieee80211_xmit+0x1d0/0x1f4 [\u0026lt;00000000fc8c2284\u0026gt;] __ieee80211_subif_start_xmit+0x30c/0x764 [\u0026lt;000000005926ee38\u0026gt;] 11_subif_start_xmit+0x9c/0x7a4 [\u0026lt;000000004c86e916\u0026gt;] dev_hard_start_xmit+0x174/0x440 [\u0026lt;0000000023495647\u0026gt;] __dev_queue_xmit+0xe24/ 0x111c [\u0026lt;00000000cfe9ca78\u0026gt;] batadv_send_skb_packet+0x180/0x1e4 [\u0026lt;000000007bacc5d5\u0026gt;] batadv_v_elp_periodic_work+0x2f4/0x508 [\u0026lt;00000000adc3cd94\u0026gt;] xa1c [\u0026lt;00000000b36425d1\u0026gt;] hilo_trabajador+0x9c/0x634 [\u0026lt;0000000005852dd5\u0026gt;] kthread+0x1bc/ 0x1c4 [\u0026lt;000000005fccd770\u0026gt;] ret_from_fork+0x10/0x20 objeto sin referencia 0xffff000009051f00 (tama\u00f1o 128): comm \"kworker/u8:4\", pid 67, jiffies 4295419553 (edad 1836.440s) volcado hexadecimal (primero 32 bytes): 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h..... 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6\u0027.... ...Xy..... retroceso: [\u0026lt;000000007302a0b6\u0026gt;] __kmem_cache_alloc_node+0x1e0/0x35c [\u0026lt;00000000049bd418\u0026gt;] kmalloc_trace+0x34/0x80 [\u0026lt;0000000000d792bb\u0026gt;] 0x2a8 [\u0026lt;00000000c99c3696\u0026gt;] mesh_nexthop_resolve+0x198/ 0x19c [\u0026lt;00000000926bf598\u0026gt;] ieee80211_xmit+0x1d0/0x1f4 [\u0026lt;00000000fc8c2284\u0026gt;] __ieee80211_subif_start_xmit+0x30c/0x764 [\u0026lt;000000005926ee38\u0026gt;] 11_subif_start_xmit+0x9c/0x7a4 [\u0026lt;000000004c86e916\u0026gt;] dev_hard_start_xmit+0x174/0x440 [\u0026lt;0000000023495647\u0026gt;] __dev_queue_xmit+0xe24/ 0x111c [\u0026lt;00000000cfe9ca78\u0026gt;] batadv_send_skb_packet+0x180/0x1e4 [\u0026lt;000000007bacc5d5\u0026gt;] batadv_v_elp_periodic_work+0x2f4/0x508 [\u0026lt;00000000adc3cd94\u0026gt;] xa1c [\u0026lt;00000000b36425d1\u0026gt;] hilo_trabajador+0x9c/0x634 [\u0026lt;0000000005852dd5\u0026gt;] kthread+0x1bc/ 0x1c4 [\u0026lt;000000005fccd770\u0026gt;] ret_from_fork+0x10/0x20"
}
],
"id": "CVE-2024-40942",
"lastModified": "2024-11-21T09:31:55.097",
"metrics": {},
"published": "2024-07-12T13:15:16.520",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/377dbb220edc8421b7960691876c5b3bef62f89b"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/617dadbfb2d3e152c5753e28356d189c9d6f33c0"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/63d5f89bb5664d60edbf8cf0df911aaae8ed96a4"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/7518e20a189f8659b8b83969db4d33a4068fcfc3"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/b7d7f11a291830fdf69d3301075dd0fb347ced84"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/c4c865f971fd4a255208f57ef04d814c2ae9e0dc"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/d81e244af521de63ad2883e17571b789c39b6549"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/ec79670eae430b3ffb7e0a6417ad7657728b8f95"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://git.kernel.org/stable/c/377dbb220edc8421b7960691876c5b3bef62f89b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://git.kernel.org/stable/c/617dadbfb2d3e152c5753e28356d189c9d6f33c0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://git.kernel.org/stable/c/63d5f89bb5664d60edbf8cf0df911aaae8ed96a4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://git.kernel.org/stable/c/7518e20a189f8659b8b83969db4d33a4068fcfc3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://git.kernel.org/stable/c/b7d7f11a291830fdf69d3301075dd0fb347ced84"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://git.kernel.org/stable/c/c4c865f971fd4a255208f57ef04d814c2ae9e0dc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://git.kernel.org/stable/c/d81e244af521de63ad2883e17571b789c39b6549"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://git.kernel.org/stable/c/ec79670eae430b3ffb7e0a6417ad7657728b8f95"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Awaiting Analysis"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…