cve/published/2024/CVE-2024-49940.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49940: l2tp: prevent possible tunnel refcount underflow

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 l2tp: prevent possible tunnel refcount underflow

 When a session is created, it sets a backpointer to its tunnel. When
 the session refcount drops to 0, l2tp_session_free drops the tunnel
 refcount if session->tunnel is non-NULL. However, session->tunnel is
 set in l2tp_session_create, before the tunnel refcount is incremented
 by l2tp_session_register, which leaves a small window where
 session->tunnel is non-NULL when the tunnel refcount hasn't been
 bumped.

 Moving the assignment to l2tp_session_register is trivial but
 l2tp_session_create calls l2tp_session_set_header_len which uses
 session->tunnel to get the tunnel's encap. Add an encap arg to
 l2tp_session_set_header_len to avoid using session->tunnel.

 If l2tpv3 sessions have colliding IDs, it is possible for
 l2tp_v3_session_get to race with l2tp_session_register and fetch a
 session which doesn't yet have session->tunnel set. Add a check for
 this case.

 The Linux kernel CVE team has assigned CVE-2024-49940 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.11.3 with commit f7415e60c25a6108cd7955a20b2e66b6251ffe02
 	Fixed in 6.12 with commit 24256415d18695b46da06c93135f5b51c548b950

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49940
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/l2tp/l2tp_core.c
 	net/l2tp/l2tp_core.h
 	net/l2tp/l2tp_netlink.c
 	net/l2tp/l2tp_ppp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f7415e60c25a6108cd7955a20b2e66b6251ffe02
 	https://git.kernel.org/stable/c/24256415d18695b46da06c93135f5b51c548b950
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49940: l2tp: prevent possible tunnel refcount underflow

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	l2tp: prevent possible tunnel refcount underflow

	When a session is created, it sets a backpointer to its tunnel. When
	the session refcount drops to 0, l2tp_session_free drops the tunnel
	refcount if session->tunnel is non-NULL. However, session->tunnel is
	set in l2tp_session_create, before the tunnel refcount is incremented
	by l2tp_session_register, which leaves a small window where
	session->tunnel is non-NULL when the tunnel refcount hasn't been
	bumped.

	Moving the assignment to l2tp_session_register is trivial but
	l2tp_session_create calls l2tp_session_set_header_len which uses
	session->tunnel to get the tunnel's encap. Add an encap arg to
	l2tp_session_set_header_len to avoid using session->tunnel.

	If l2tpv3 sessions have colliding IDs, it is possible for
	l2tp_v3_session_get to race with l2tp_session_register and fetch a
	session which doesn't yet have session->tunnel set. Add a check for
	this case.

	The Linux kernel CVE team has assigned CVE-2024-49940 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.11.3 with commit f7415e60c25a6108cd7955a20b2e66b6251ffe02
	Fixed in 6.12 with commit 24256415d18695b46da06c93135f5b51c548b950

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49940
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/l2tp/l2tp_core.c
	net/l2tp/l2tp_core.h
	net/l2tp/l2tp_netlink.c
	net/l2tp/l2tp_ppp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f7415e60c25a6108cd7955a20b2e66b6251ffe02
	https://git.kernel.org/stable/c/24256415d18695b46da06c93135f5b51c548b950