Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2024 / CVE-2024-53140.json
blob: 625304505a13f94e0a4e81f36db06ba58da64283 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: terminate outstanding dump on socket close\n\nNetlink supports iterative dumping of data. It provides the families\nthe following ops:\n - start - (optional) kicks off the dumping process\n - dump - actual dump helper, keeps getting called until it returns 0\n - done - (optional) pairs with .start, can be used for cleanup\nThe whole process is asynchronous and the repeated calls to .dump\ndon't actually happen in a tight loop, but rather are triggered\nin response to recvmsg() on the socket.\n\nThis gives the user full control over the dump, but also means that\nthe user can close the socket without getting to the end of the dump.\nTo make sure .start is always paired with .done we check if there\nis an ongoing dump before freeing the socket, and if so call .done.\n\nThe complication is that sockets can get freed from BH and .done\nis allowed to sleep. So we use a workqueue to defer the call, when\nneeded.\n\nUnfortunately this does not work correctly. What we defer is not\nthe cleanup but rather releasing a reference on the socket.\nWe have no guarantee that we own the last reference, if someone\nelse holds the socket they may release it in BH and we're back\nto square one.\n\nThe whole dance, however, appears to be unnecessary. Only the user\ncan interact with dumps, so we can clean up when socket is closed.\nAnd close always happens in process context. Some async code may\nstill access the socket after close, queue notification skbs to it etc.\nbut no dumps can start, end or otherwise make progress.\n\nDelete the workqueue and flush the dump state directly from the release\nhandler. Note that further cleanup is possible in -next, for instance\nwe now always call .done before releasing the main module reference,\nso dump doesn't have to take a reference of its own."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/netlink/af_netlink.c",
"net/netlink/af_netlink.h"
],
"versions": [
{
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"lessThan": "114a61d8d94ae3a43b82446cf737fd757021b834",
"status": "affected",
"versionType": "git"
},
{
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"lessThan": "598c956b62699c3753929602560d8df322e60559",
"status": "affected",
"versionType": "git"
},
{
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"lessThan": "6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4",
"status": "affected",
"versionType": "git"
},
{
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"lessThan": "d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603",
"status": "affected",
"versionType": "git"
},
{
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"lessThan": "4e87a52133284afbd40fb522dbf96e258af52a98",
"status": "affected",
"versionType": "git"
},
{
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"lessThan": "bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca",
"status": "affected",
"versionType": "git"
},
{
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"lessThan": "176c41b3ca9281a9736b67c6121b03dbf0c8c08f",
"status": "affected",
"versionType": "git"
},
{
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"lessThan": "1904fb9ebf911441f90a68e96b22aa73e4410505",
"status": "affected",
"versionType": "git"
},
{
"version": "baaf0c65bc8ea9c7a404b09bc8cc3b8a1e4f18df",
"status": "affected",
"versionType": "git"
},
{
"version": "25d9b4bb64ea964769087fc5ae09aee9c838d759",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/netlink/af_netlink.c",
"net/netlink/af_netlink.h"
],
"versions": [
{
"version": "4.9",
"status": "affected"
},
{
"version": "0",
"lessThan": "4.9",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "4.19.325",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.287",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.231",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.174",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.119",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.63",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.10",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "4.19.325"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "5.4.287"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "5.10.231"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "5.15.174"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "6.1.119"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "6.6.63"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "6.11.10"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "6.12"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.38"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.14"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/114a61d8d94ae3a43b82446cf737fd757021b834"
},
{
"url": "https://git.kernel.org/stable/c/598c956b62699c3753929602560d8df322e60559"
},
{
"url": "https://git.kernel.org/stable/c/6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4"
},
{
"url": "https://git.kernel.org/stable/c/d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603"
},
{
"url": "https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258af52a98"
},
{
"url": "https://git.kernel.org/stable/c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca"
},
{
"url": "https://git.kernel.org/stable/c/176c41b3ca9281a9736b67c6121b03dbf0c8c08f"
},
{
"url": "https://git.kernel.org/stable/c/1904fb9ebf911441f90a68e96b22aa73e4410505"
}
],
"title": "netlink: terminate outstanding dump on socket close",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2024-53140",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}