| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future." |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "include/net/inet_connection_sock.h", |
| "include/net/sock.h", |
| "net/ipv4/inet_connection_sock.c", |
| "net/ipv4/tcp.c" |
| ], |
| "versions": [ |
| { |
| "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", |
| "lessThan": "93f0133b9d589cc6e865f254ad9be3e9d8133f50", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", |
| "lessThan": "44e62f5d35678686734afd47c6a421ad30772e7f", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", |
| "lessThan": "e3e27d2b446deb1f643758a0c4731f5c22492810", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", |
| "lessThan": "2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", |
| "lessThan": "91b243de910a9ac8476d40238ab3dbfeedd5b7de", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", |
| "lessThan": "c1ae4d1e76eacddaacb958b67cd942082f800c87", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", |
| "lessThan": "899265c1389fe022802aae73dbf13ee08837a35a", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", |
| "lessThan": "151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "include/net/inet_connection_sock.h", |
| "include/net/sock.h", |
| "net/ipv4/inet_connection_sock.c", |
| "net/ipv4/tcp.c" |
| ], |
| "versions": [ |
| { |
| "version": "4.2", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "4.2", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "4.19.312", |
| "lessThanOrEqual": "4.19.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.4.274", |
| "lessThanOrEqual": "5.4.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.10.215", |
| "lessThanOrEqual": "5.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.154", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.1.85", |
| "lessThanOrEqual": "6.1.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.6.26", |
| "lessThanOrEqual": "6.6.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.8.5", |
| "lessThanOrEqual": "6.8.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.9", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.2", |
| "versionEndExcluding": "4.19.312" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.2", |
| "versionEndExcluding": "5.4.274" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.2", |
| "versionEndExcluding": "5.10.215" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.2", |
| "versionEndExcluding": "5.15.154" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.2", |
| "versionEndExcluding": "6.1.85" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.2", |
| "versionEndExcluding": "6.6.26" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.2", |
| "versionEndExcluding": "6.8.5" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.2", |
| "versionEndExcluding": "6.9" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada" |
| } |
| ], |
| "title": "tcp: properly terminate timers for kernel sockets", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2024-35910", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
