CVE-2024-46858

Summary

In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: Fix uaf in __timer_delete_sync

There are two paths to access mptcp_pm_del_add_timer, result in a race condition:

 CPU1				CPU2
 ====                               ====
 net_rx_action
 napi_poll                          netlink_sendmsg
 __napi_poll                        netlink_unicast
 process_backlog                    netlink_unicast_kernel
 __netif_receive_skb                genl_rcv
 __netif_receive_skb_one_core       netlink_rcv_skb
 NF_HOOK                            genl_rcv_msg
 ip_local_deliver_finish            genl_family_rcv_msg
 ip_protocol_deliver_rcu            genl_family_rcv_msg_doit
 tcp_v4_rcv                         mptcp_pm_nl_flush_addrs_doit
 tcp_v4_do_rcv                      mptcp_nl_remove_addrs_list
 tcp_rcv_established                mptcp_pm_remove_addrs_and_subflows
 tcp_data_queue                     remove_anno_list_by_saddr
 mptcp_incoming_options             mptcp_pm_del_add_timer
 mptcp_pm_del_add_timer             kfree(entry)

In remove_anno_list_by_saddr(running on CPU2), after leaving the critical zone protected by "pm.lock", the entry will be released, which leads to the occurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).

Keeping a reference to add_timer inside the lock, and calling sk_stop_timer_sync() with this reference, instead of "entry->add_timer".

Move list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock, do not directly access any members of the entry outside the pm lock, which can avoid similar "entry->x" uaf.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux00cfd77b9063dcdf3628a7087faba60de85a9cc8 < 0e7814b028cd50b3ff79659d23dfa9da6a1e75e1affected
LinuxLinux00cfd77b9063dcdf3628a7087faba60de85a9cc8 < 3554482f4691571fc4b5490c17ae26896e62171caffected
LinuxLinux00cfd77b9063dcdf3628a7087faba60de85a9cc8 < 67409b358500c71632116356a0b065f112d7b707affected
LinuxLinux00cfd77b9063dcdf3628a7087faba60de85a9cc8 < 6452b162549c7f9ef54655d3fb9977b9192e6e5baffected
LinuxLinux00cfd77b9063dcdf3628a7087faba60de85a9cc8 < 12134a652b0a10064844ea235173e70246eba6dcaffected
LinuxLinux00cfd77b9063dcdf3628a7087faba60de85a9cc8 < b4cd80b0338945a94972ac3ed54f8338d2da2076affected
LinuxLinux5.10affected
LinuxLinux0 < 5.10unaffected
LinuxLinux5.10.227 <= 5.10.*unaffected
LinuxLinux5.15.168 <= 5.15.*unaffected
LinuxLinux6.1.111 <= 6.1.*unaffected
LinuxLinux6.6.52 <= 6.6.*unaffected
LinuxLinux6.10.11 <= 6.10.*unaffected
LinuxLinux6.11 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References