From: Greg KH <gregkh@linuxfoundation.org>
To: Siddh Raman Pant <siddh.raman.pant@oracle.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer().
Date: Tue, 18 Feb 2025 14:10:20 +0100 [thread overview]
Message-ID: <2025021818-police-task-b198@gregkh> (raw)
In-Reply-To: <6ad79bb59b3535c9666ed5873dee4975f0745676.camel@oracle.com>
On Tue, Feb 18, 2025 at 01:04:05PM +0000, Siddh Raman Pant wrote:
> The commit message has:
> > tipc: Fix use-after-free of kernel socket in cleanup_bearer().
> >
> > syzkaller reported a use-after-free of UDP kernel socket
> > in cleanup_bearer() without repro. [0][1]
> >
> > When bearer_disable() calls tipc_udp_disable(), cleanup
> > of the UDP kernel socket is deferred by work calling
> > cleanup_bearer().
> >
> > tipc_net_stop() waits for such works to finish by checking
> > tipc_net(net)->wq_count. However, the work decrements the
> > count too early before releasing the kernel socket,
> > unblocking cleanup_net() and resulting in use-after-free.
>
> This is incorrect, the function which waits is tipc_exit_net, which has
> the spinning while loop.
>
> That function is an exit function so this can't be triggered without
> privileges.
>
> Could it be grounds for rejection? Probably not but I thought I should
> ask.
If you think the text is incorrect, please send us a patch for the text
and we can apply it to the cve data.
> > Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")
>
> The fixes tag is incorrect. It should be the commit which adds the
> counter, which is:
>
> 04c26faa51d1 ("tipc: wait and exit until all work queues are done")
>
> Maybe this needs to be corrected in the JSONs (as the commits are set
> in stone).
Again, if the Fixes: tag is incorrect, please send us the correct
information as a .vulnerable file as our vulns.git cve documentation
shows and we will be glad to regenerate the entry.
thanks,
greg k-h
next prev parent reply other threads:[~2025-02-18 13:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024122737-CVE-2024-56642-71ee@gregkh>
2025-02-18 13:04 ` CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer() Siddh Raman Pant
2025-02-18 13:10 ` Greg KH [this message]
2025-02-18 13:53 ` [PATCH] CVE-2024-56642: Fix wrong fixes tag and function name in commit message Siddh Raman Pant
2025-02-18 14:06 ` Greg KH
2025-02-18 14:37 ` [PATCH 1/2] CVE-2024-56642: Fix wrong fixes tag Siddh Raman Pant
2025-02-18 15:26 ` Greg KH
2025-02-18 14:37 ` [PATCH 2/2] CVE-2024-56642: Fix mention of wrong function Siddh Raman Pant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025021818-police-task-b198@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=siddh.raman.pant@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox