csaf_opensuse - opensuse-su-2024:13959-1

opensuse-su-2024:13959-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

kernel-devel-6.8.9-1.1 on GA media

Notes

Title of the patch

kernel-devel-6.8.9-1.1 on GA media

Description of the patch

These are all security issues fixed in the kernel-devel-6.8.9-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-13959

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "kernel-devel-6.8.9-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the kernel-devel-6.8.9-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13959",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13959-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26862 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26862/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26865 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26865/"
      }
    ],
    "title": "kernel-devel-6.8.9-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13959-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-devel-6.8.9-1.1.aarch64",
                "product": {
                  "name": "kernel-devel-6.8.9-1.1.aarch64",
                  "product_id": "kernel-devel-6.8.9-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-macros-6.8.9-1.1.aarch64",
                "product": {
                  "name": "kernel-macros-6.8.9-1.1.aarch64",
                  "product_id": "kernel-macros-6.8.9-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-source-6.8.9-1.1.aarch64",
                "product": {
                  "name": "kernel-source-6.8.9-1.1.aarch64",
                  "product_id": "kernel-source-6.8.9-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-source-vanilla-6.8.9-1.1.aarch64",
                "product": {
                  "name": "kernel-source-vanilla-6.8.9-1.1.aarch64",
                  "product_id": "kernel-source-vanilla-6.8.9-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-devel-6.8.9-1.1.ppc64le",
                "product": {
                  "name": "kernel-devel-6.8.9-1.1.ppc64le",
                  "product_id": "kernel-devel-6.8.9-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-macros-6.8.9-1.1.ppc64le",
                "product": {
                  "name": "kernel-macros-6.8.9-1.1.ppc64le",
                  "product_id": "kernel-macros-6.8.9-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-source-6.8.9-1.1.ppc64le",
                "product": {
                  "name": "kernel-source-6.8.9-1.1.ppc64le",
                  "product_id": "kernel-source-6.8.9-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-source-vanilla-6.8.9-1.1.ppc64le",
                "product": {
                  "name": "kernel-source-vanilla-6.8.9-1.1.ppc64le",
                  "product_id": "kernel-source-vanilla-6.8.9-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-devel-6.8.9-1.1.s390x",
                "product": {
                  "name": "kernel-devel-6.8.9-1.1.s390x",
                  "product_id": "kernel-devel-6.8.9-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-macros-6.8.9-1.1.s390x",
                "product": {
                  "name": "kernel-macros-6.8.9-1.1.s390x",
                  "product_id": "kernel-macros-6.8.9-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-source-6.8.9-1.1.s390x",
                "product": {
                  "name": "kernel-source-6.8.9-1.1.s390x",
                  "product_id": "kernel-source-6.8.9-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-source-vanilla-6.8.9-1.1.s390x",
                "product": {
                  "name": "kernel-source-vanilla-6.8.9-1.1.s390x",
                  "product_id": "kernel-source-vanilla-6.8.9-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-devel-6.8.9-1.1.x86_64",
                "product": {
                  "name": "kernel-devel-6.8.9-1.1.x86_64",
                  "product_id": "kernel-devel-6.8.9-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-macros-6.8.9-1.1.x86_64",
                "product": {
                  "name": "kernel-macros-6.8.9-1.1.x86_64",
                  "product_id": "kernel-macros-6.8.9-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-source-6.8.9-1.1.x86_64",
                "product": {
                  "name": "kernel-source-6.8.9-1.1.x86_64",
                  "product_id": "kernel-source-6.8.9-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-source-vanilla-6.8.9-1.1.x86_64",
                "product": {
                  "name": "kernel-source-vanilla-6.8.9-1.1.x86_64",
                  "product_id": "kernel-source-vanilla-6.8.9-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-devel-6.8.9-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.aarch64"
        },
        "product_reference": "kernel-devel-6.8.9-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-devel-6.8.9-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.ppc64le"
        },
        "product_reference": "kernel-devel-6.8.9-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-devel-6.8.9-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.s390x"
        },
        "product_reference": "kernel-devel-6.8.9-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-devel-6.8.9-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.x86_64"
        },
        "product_reference": "kernel-devel-6.8.9-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-macros-6.8.9-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.aarch64"
        },
        "product_reference": "kernel-macros-6.8.9-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-macros-6.8.9-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.ppc64le"
        },
        "product_reference": "kernel-macros-6.8.9-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-macros-6.8.9-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.s390x"
        },
        "product_reference": "kernel-macros-6.8.9-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-macros-6.8.9-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.x86_64"
        },
        "product_reference": "kernel-macros-6.8.9-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-source-6.8.9-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.aarch64"
        },
        "product_reference": "kernel-source-6.8.9-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-source-6.8.9-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.ppc64le"
        },
        "product_reference": "kernel-source-6.8.9-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-source-6.8.9-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.s390x"
        },
        "product_reference": "kernel-source-6.8.9-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-source-6.8.9-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.x86_64"
        },
        "product_reference": "kernel-source-6.8.9-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-source-vanilla-6.8.9-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.aarch64"
        },
        "product_reference": "kernel-source-vanilla-6.8.9-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-source-vanilla-6.8.9-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.ppc64le"
        },
        "product_reference": "kernel-source-vanilla-6.8.9-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-source-vanilla-6.8.9-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.s390x"
        },
        "product_reference": "kernel-source-vanilla-6.8.9-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-source-vanilla-6.8.9-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.x86_64"
        },
        "product_reference": "kernel-source-vanilla-6.8.9-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-26862",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26862"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\npacket: annotate data-races around ignore_outgoing\n\nignore_outgoing is read locklessly from dev_queue_xmit_nit()\nand packet_getsockopt()\n\nAdd appropriate READ_ONCE()/WRITE_ONCE() annotations.\n\nsyzbot reported:\n\nBUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt\n\nwrite to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0:\n packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003\n do_sock_setsockopt net/socket.c:2311 [inline]\n __sys_setsockopt+0x1d8/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff888107804542 of 1 bytes by task 27 on cpu 1:\n dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248\n xmit_one net/core/dev.c:3527 [inline]\n dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547\n __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108\n batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127\n batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline]\n batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]\n batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335\n worker_thread+0x526/0x730 kernel/workqueue.c:3416\n kthread+0x1d1/0x210 kernel/kthread.c:388\n ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n\nvalue changed: 0x00 -\u003e 0x01\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G        W          6.8.0-syzkaller-08073-g480e035fc4c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.aarch64",
          "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.ppc64le",
          "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.s390x",
          "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.x86_64",
          "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.aarch64",
          "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.ppc64le",
          "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.s390x",
          "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.x86_64",
          "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.aarch64",
          "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.ppc64le",
          "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.s390x",
          "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.x86_64",
          "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.aarch64",
          "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.ppc64le",
          "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.s390x",
          "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26862",
          "url": "https://www.suse.com/security/cve/CVE-2024-26862"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223111 for CVE-2024-26862",
          "url": "https://bugzilla.suse.com/1223111"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.x86_64",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.x86_64",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.x86_64",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.x86_64",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.x86_64",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.x86_64",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-26862"
    },
    {
      "cve": "CVE-2024-26865",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26865"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: tcp: Fix use-after-free of net in reqsk_timer_handler().\n\nsyzkaller reported a warning of netns tracker [0] followed by KASAN\nsplat [1] and another ref tracker warning [1].\n\nsyzkaller could not find a repro, but in the log, the only suspicious\nsequence was as follows:\n\n  18:26:22 executing program 1:\n  r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)\n  ...\n  connect$inet6(r0, \u0026(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async)\n\nThe notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT.\n\nSo, the scenario would be:\n\n  1. unshare(CLONE_NEWNET) creates a per netns tcp listener in\n      rds_tcp_listen_init().\n  2. syz-executor connect()s to it and creates a reqsk.\n  3. syz-executor exit()s immediately.\n  4. netns is dismantled.  [0]\n  5. reqsk timer is fired, and UAF happens while freeing reqsk.  [1]\n  6. listener is freed after RCU grace period.  [2]\n\nBasically, reqsk assumes that the listener guarantees netns safety\nuntil all reqsk timers are expired by holding the listener\u0027s refcount.\nHowever, this was not the case for kernel sockets.\n\nCommit 740ea3c4a0b2 (\"tcp: Clean up kernel listener\u0027s reqsk in\ninet_twsk_purge()\") fixed this issue only for per-netns ehash.\n\nLet\u0027s apply the same fix for the global ehash.\n\n[0]:\nref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at\n     sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146)\n     inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119)\n     __sock_create (net/socket.c:1572)\n     rds_tcp_listen_init (net/rds/tcp_listen.c:279)\n     rds_tcp_init_net (net/rds/tcp.c:577)\n     ops_init (net/core/net_namespace.c:137)\n     setup_net (net/core/net_namespace.c:340)\n     copy_net_ns (net/core/net_namespace.c:497)\n     create_new_namespaces (kernel/nsproxy.c:110)\n     unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4))\n     ksys_unshare (kernel/fork.c:3429)\n     __x64_sys_unshare (kernel/fork.c:3496)\n     do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n     entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n...\nWARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)\n\n[1]:\nBUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\nRead of size 8 at addr ffff88801b370400 by task swapper/0/0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n kasan_report (mm/kasan/report.c:603)\n inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\n reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038)\n run_timer_softirq (kernel/time/timer.c:2053)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))\n \u003c/IRQ\u003e\n\nAllocated by task 258 on cpu 0 at 83.612050s:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:68)\n __kasan_slab_alloc (mm/kasan/common.c:343)\n kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867)\n copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_name\n---truncated---",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.aarch64",
          "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.ppc64le",
          "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.s390x",
          "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.x86_64",
          "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.aarch64",
          "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.ppc64le",
          "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.s390x",
          "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.x86_64",
          "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.aarch64",
          "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.ppc64le",
          "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.s390x",
          "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.x86_64",
          "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.aarch64",
          "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.ppc64le",
          "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.s390x",
          "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26865",
          "url": "https://www.suse.com/security/cve/CVE-2024-26865"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223062 for CVE-2024-26865",
          "url": "https://bugzilla.suse.com/1223062"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223063 for CVE-2024-26865",
          "url": "https://bugzilla.suse.com/1223063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.x86_64",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.x86_64",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.x86_64",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-devel-6.8.9-1.1.x86_64",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-macros-6.8.9-1.1.x86_64",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-source-6.8.9-1.1.x86_64",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.aarch64",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.ppc64le",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.s390x",
            "openSUSE Tumbleweed:kernel-source-vanilla-6.8.9-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-26865"
    }
  ]
}

CVE-2024-26862 (GCVE-0-2024-26862)

Vulnerability from cvelistv5

Published

2024-04-17 10:27

Modified

2025-05-04 08:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: packet: annotate data-races around ignore_outgoing ignore_outgoing is read locklessly from dev_queue_xmit_nit() and packet_getsockopt() Add appropriate READ_ONCE()/WRITE_ONCE() annotations. syzbot reported: BUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt write to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0: packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003 do_sock_setsockopt net/socket.c:2311 [inline] __sys_setsockopt+0x1d8/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff888107804542 of 1 bytes by task 27 on cpu 1: dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248 xmit_one net/core/dev.c:3527 [inline] dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547 __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108 batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline] batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335 worker_thread+0x526/0x730 kernel/workqueue.c:3416 kthread+0x1d1/0x210 kernel/kthread.c:388 ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 value changed: 0x00 -> 0x01 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G W 6.8.0-syzkaller-08073-g480e035fc4c7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet

References

►

URL

Tags

	https://git.kernel.org/stable/c/84c510411e321caff3c07e6cd0f917f06633cfc0
	https://git.kernel.org/stable/c/68e84120319d4fc298fcdb14cf0bea6a0f64ffbd
	https://git.kernel.org/stable/c/d35b62c224e70797f8a1c37fe9bc4b3e294b7560
	https://git.kernel.org/stable/c/ef7eed7e11d23337310ecc2c014ecaeea52719c5
	https://git.kernel.org/stable/c/2c02c5059c78a52d170bdee4a369b470de6deb37
	https://git.kernel.org/stable/c/ee413f30ec4fe94a0bdf32c8f042cb06fa913234
	https://git.kernel.org/stable/c/8b1e273c6afcf00d3c40a54ada7d6aac1b503b97
	https://git.kernel.org/stable/c/6ebfad33161afacb3e1e59ed1c2feefef70f9f97

Impacted products

Vendor

Product

Version

►

Linux

Version: fa788d986a3aac5069378ed04697bd06f83d3488
Version: fa788d986a3aac5069378ed04697bd06f83d3488
Version: fa788d986a3aac5069378ed04697bd06f83d3488
Version: fa788d986a3aac5069378ed04697bd06f83d3488
Version: fa788d986a3aac5069378ed04697bd06f83d3488
Version: fa788d986a3aac5069378ed04697bd06f83d3488
Version: fa788d986a3aac5069378ed04697bd06f83d3488
Version: fa788d986a3aac5069378ed04697bd06f83d3488

Linux

Version: 4.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26862",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T17:41:30.819714Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-17T17:48:16.027Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:04.133Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/84c510411e321caff3c07e6cd0f917f06633cfc0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/68e84120319d4fc298fcdb14cf0bea6a0f64ffbd"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d35b62c224e70797f8a1c37fe9bc4b3e294b7560"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ef7eed7e11d23337310ecc2c014ecaeea52719c5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2c02c5059c78a52d170bdee4a369b470de6deb37"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ee413f30ec4fe94a0bdf32c8f042cb06fa913234"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8b1e273c6afcf00d3c40a54ada7d6aac1b503b97"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6ebfad33161afacb3e1e59ed1c2feefef70f9f97"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c",
            "net/packet/af_packet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "84c510411e321caff3c07e6cd0f917f06633cfc0",
              "status": "affected",
              "version": "fa788d986a3aac5069378ed04697bd06f83d3488",
              "versionType": "git"
            },
            {
              "lessThan": "68e84120319d4fc298fcdb14cf0bea6a0f64ffbd",
              "status": "affected",
              "version": "fa788d986a3aac5069378ed04697bd06f83d3488",
              "versionType": "git"
            },
            {
              "lessThan": "d35b62c224e70797f8a1c37fe9bc4b3e294b7560",
              "status": "affected",
              "version": "fa788d986a3aac5069378ed04697bd06f83d3488",
              "versionType": "git"
            },
            {
              "lessThan": "ef7eed7e11d23337310ecc2c014ecaeea52719c5",
              "status": "affected",
              "version": "fa788d986a3aac5069378ed04697bd06f83d3488",
              "versionType": "git"
            },
            {
              "lessThan": "2c02c5059c78a52d170bdee4a369b470de6deb37",
              "status": "affected",
              "version": "fa788d986a3aac5069378ed04697bd06f83d3488",
              "versionType": "git"
            },
            {
              "lessThan": "ee413f30ec4fe94a0bdf32c8f042cb06fa913234",
              "status": "affected",
              "version": "fa788d986a3aac5069378ed04697bd06f83d3488",
              "versionType": "git"
            },
            {
              "lessThan": "8b1e273c6afcf00d3c40a54ada7d6aac1b503b97",
              "status": "affected",
              "version": "fa788d986a3aac5069378ed04697bd06f83d3488",
              "versionType": "git"
            },
            {
              "lessThan": "6ebfad33161afacb3e1e59ed1c2feefef70f9f97",
              "status": "affected",
              "version": "fa788d986a3aac5069378ed04697bd06f83d3488",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c",
            "net/packet/af_packet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.273",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.214",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.153",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.273",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.214",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.153",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.83",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.23",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.11",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.2",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npacket: annotate data-races around ignore_outgoing\n\nignore_outgoing is read locklessly from dev_queue_xmit_nit()\nand packet_getsockopt()\n\nAdd appropriate READ_ONCE()/WRITE_ONCE() annotations.\n\nsyzbot reported:\n\nBUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt\n\nwrite to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0:\n packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003\n do_sock_setsockopt net/socket.c:2311 [inline]\n __sys_setsockopt+0x1d8/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff888107804542 of 1 bytes by task 27 on cpu 1:\n dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248\n xmit_one net/core/dev.c:3527 [inline]\n dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547\n __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108\n batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127\n batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline]\n batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]\n batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335\n worker_thread+0x526/0x730 kernel/workqueue.c:3416\n kthread+0x1d1/0x210 kernel/kthread.c:388\n ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n\nvalue changed: 0x00 -\u003e 0x01\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G        W          6.8.0-syzkaller-08073-g480e035fc4c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:58:13.163Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/84c510411e321caff3c07e6cd0f917f06633cfc0"
        },
        {
          "url": "https://git.kernel.org/stable/c/68e84120319d4fc298fcdb14cf0bea6a0f64ffbd"
        },
        {
          "url": "https://git.kernel.org/stable/c/d35b62c224e70797f8a1c37fe9bc4b3e294b7560"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef7eed7e11d23337310ecc2c014ecaeea52719c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c02c5059c78a52d170bdee4a369b470de6deb37"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee413f30ec4fe94a0bdf32c8f042cb06fa913234"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b1e273c6afcf00d3c40a54ada7d6aac1b503b97"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ebfad33161afacb3e1e59ed1c2feefef70f9f97"
        }
      ],
      "title": "packet: annotate data-races around ignore_outgoing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26862",
    "datePublished": "2024-04-17T10:27:25.634Z",
    "dateReserved": "2024-02-19T14:20:24.184Z",
    "dateUpdated": "2025-05-04T08:58:13.163Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-26865 (GCVE-0-2024-26865)

Vulnerability from cvelistv5

Published

2024-04-17 10:27

Modified

2025-05-04 08:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: rds: tcp: Fix use-after-free of net in reqsk_timer_handler(). syzkaller reported a warning of netns tracker [0] followed by KASAN splat [1] and another ref tracker warning [1]. syzkaller could not find a repro, but in the log, the only suspicious sequence was as follows: 18:26:22 executing program 1: r0 = socket$inet6_mptcp(0xa, 0x1, 0x106) ... connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async) The notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT. So, the scenario would be: 1. unshare(CLONE_NEWNET) creates a per netns tcp listener in rds_tcp_listen_init(). 2. syz-executor connect()s to it and creates a reqsk. 3. syz-executor exit()s immediately. 4. netns is dismantled. [0] 5. reqsk timer is fired, and UAF happens while freeing reqsk. [1] 6. listener is freed after RCU grace period. [2] Basically, reqsk assumes that the listener guarantees netns safety until all reqsk timers are expired by holding the listener's refcount. However, this was not the case for kernel sockets. Commit 740ea3c4a0b2 ("tcp: Clean up kernel listener's reqsk in inet_twsk_purge()") fixed this issue only for per-netns ehash. Let's apply the same fix for the global ehash. [0]: ref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146) inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119) __sock_create (net/socket.c:1572) rds_tcp_listen_init (net/rds/tcp_listen.c:279) rds_tcp_init_net (net/rds/tcp.c:577) ops_init (net/core/net_namespace.c:137) setup_net (net/core/net_namespace.c:340) copy_net_ns (net/core/net_namespace.c:497) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4)) ksys_unshare (kernel/fork.c:3429) __x64_sys_unshare (kernel/fork.c:3496) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) ... WARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) [1]: BUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966) Read of size 8 at addr ffff88801b370400 by task swapper/0/0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) kasan_report (mm/kasan/report.c:603) inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966) reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092) call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038) run_timer_softirq (kernel/time/timer.c:2053) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14)) </IRQ> Allocated by task 258 on cpu 0 at 83.612050s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:343) kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867) copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_name ---truncated---

References

►

URL

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

opensuse-su-2024:13959-1

Vulnerability from csaf_opensuse

CVE-2024-26862 (GCVE-0-2024-26862)

Vulnerability from cvelistv5

CVE-2024-26865 (GCVE-0-2024-26865)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature