From: Greg KH <gregkh@linuxfoundation.org>
To: Siddh Raman Pant <siddh.raman.pant@oracle.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer().
Date: Tue, 18 Feb 2025 14:10:20 +0100 [thread overview]
Message-ID: <2025021818-police-task-b198@gregkh> (raw)
In-Reply-To: <6ad79bb59b3535c9666ed5873dee4975f0745676.camel@oracle.com>
On Tue, Feb 18, 2025 at 01:04:05PM +0000, Siddh Raman Pant wrote:
> The commit message has:
> > tipc: Fix use-after-free of kernel socket in cleanup_bearer().
> >
> > syzkaller reported a use-after-free of UDP kernel socket
> > in cleanup_bearer() without repro. [0][1]
> >
> > When bearer_disable() calls tipc_udp_disable(), cleanup
> > of the UDP kernel socket is deferred by work calling
> > cleanup_bearer().
> >
> > tipc_net_stop() waits for such works to finish by checking
> > tipc_net(net)->wq_count. However, the work decrements the
> > count too early before releasing the kernel socket,
> > unblocking cleanup_net() and resulting in use-after-free.
>
> This is incorrect, the function which waits is tipc_exit_net, which has
> the spinning while loop.
>
> That function is an exit function so this can't be triggered without
> privileges.
>
> Could it be grounds for rejection? Probably not but I thought I should
> ask.
If you think the text is incorrect, please send us a patch for the text
and we can apply it to the cve data.
> > Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")
>
> The fixes tag is incorrect. It should be the commit which adds the
> counter, which is:
>
> 04c26faa51d1 ("tipc: wait and exit until all work queues are done")
>
> Maybe this needs to be corrected in the JSONs (as the commits are set
> in stone).
Again, if the Fixes: tag is incorrect, please send us the correct
information as a .vulnerable file as our vulns.git cve documentation
shows and we will be glad to regenerate the entry.
thanks,
greg k-h
next prev parent reply other threads:[~2025-02-18 13:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-27 15:02 CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer() Greg Kroah-Hartman
2025-02-18 13:04 ` Siddh Raman Pant
2025-02-18 13:10 ` Greg KH [this message]
2025-02-18 13:53 ` [PATCH] CVE-2024-56642: Fix wrong fixes tag and function name in commit message Siddh Raman Pant
2025-02-18 14:06 ` Greg KH
2025-02-18 14:37 ` [PATCH 1/2] CVE-2024-56642: Fix wrong fixes tag Siddh Raman Pant
2025-02-18 15:26 ` Greg KH
2025-02-18 14:37 ` [PATCH 2/2] CVE-2024-56642: Fix mention of wrong function Siddh Raman Pant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025021818-police-task-b198@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=siddh.raman.pant@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.