net: bridge: mcast:删除端口时等待之前的 gc 循环(CVE-2024-44934)

admin 2024-08-28 16:20:23 Ali_nvd 来源:ZONE.CI 全球网 0 阅读模式
net: bridge: mcast:删除端口时等待之前的 gc 循环(CVE-2024-44934)

CVE编号

CVE-2024-44934

利用情况

暂无

补丁情况

N/A

披露时间

2024-08-26
漏洞描述
In the Linux kernel, the following vulnerability has been resolved: net: bridge: mcast: wait for previous gc cycles when removing port syzbot hit a use-after-free[1] which is caused because the bridge doesn't make sure that all previous garbage has been collected when removing a port. What happens is: CPU 1 CPU 2 start gc cycle remove port acquire gc lock first wait for lock call br_multicasg_gc() directly acquire lock now butfree port the port can be freed while grp timers still running Make sure all previous gc cycles have finished by using flush_work before freeing the port. [1] BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699 CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1843 [inline] __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417 __run_timer_base kernel/time/timer.c:2428 [inline] __run_timer_base kernel/time/timer.c:2421 [inline] run_timer_base+0x111/0x190 kernel/time/timer.c:2437
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f
https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f
https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078
https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658
https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
系统 debian_12 linux * Up to (excluding) 6.1.106-1
运行在以下环境
系统 linux linux_kernel * From (including) 5.10 Up to (excluding) 5.15.165
运行在以下环境
系统 linux linux_kernel * From (including) 5.16 Up to (excluding) 6.1.105
运行在以下环境
系统 linux linux_kernel * From (including) 6.2 Up to (excluding) 6.6.46
运行在以下环境
系统 linux linux_kernel * From (including) 6.7 Up to (excluding) 6.10.5
运行在以下环境
系统 linux linux_kernel 6.11 -
CVSS3评分 7.8
  • 攻击路径 本地
  • 攻击复杂度 低
  • 权限要求 低
  • 影响范围 未更改
  • 用户交互 无
  • 可用性 高
  • 保密性 高
  • 完整性 高
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-ID 漏洞类型
CWE-416 释放后使用
- avd.aliyun.com
weinxin
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论:0   参与:  0