CVE-2024-49940
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
l2tp: prevent possible tunnel refcount underflow
When a session is created, it sets a backpointer to its tunnel. When the session refcount drops to 0, l2tp_session_free drops the tunnel refcount if session->tunnel is non-NULL. However, session->tunnel is set in l2tp_session_create, before the tunnel refcount is incremented by l2tp_session_register, which leaves a small window where session->tunnel is non-NULL when the tunnel refcount hasn't been bumped.
Moving the assignment to l2tp_session_register is trivial but l2tp_session_create calls l2tp_session_set_header_len which uses session->tunnel to get the tunnel's encap. Add an encap arg to l2tp_session_set_header_len to avoid using session->tunnel.
If l2tpv3 sessions have colliding IDs, it is possible for l2tp_v3_session_get to race with l2tp_session_register and fetch a session which doesn't yet have session->tunnel set. Add a check for this case.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 3953ae7b218df4d1e544b98a393666f9ae58a78c < f7415e60c25a6108cd7955a20b2e66b6251ffe02 | affected |
| Linux | Linux | 3953ae7b218df4d1e544b98a393666f9ae58a78c < 24256415d18695b46da06c93135f5b51c548b950 | affected |
| Linux | Linux | b102bfc2a90d14f342580285782a9a51c74f7369 | affected |
| Linux | Linux | 10c15ddabbcf888922adbdd44ca3fecf6eab19d9 | affected |
| Linux | Linux | 8d1c650d452c53fcb3f02a7b1d772741639f89a4 | affected |
| Linux | Linux | 12b5fb58ac993c24210cf8cbc72d407d3a4e6490 | affected |
| Linux | Linux | aef37401b467a0b1a9517c69924a1d66937e0789 | affected |
| Linux | Linux | 3.2.99 < 3.3 | affected |
| Linux | Linux | 3.16.54 < 3.17 | affected |
| Linux | Linux | 4.4.225 < 4.5 | affected |
| Linux | Linux | 4.9.225 < 4.10 | affected |
| Linux | Linux | 4.14.182 < 4.15 | affected |
| Linux | Linux | 4.15 | affected |
| Linux | Linux | 0 < 4.15 | unaffected |
| Linux | Linux | 6.11.3 <= 6.11.* | unaffected |
| Linux | Linux | 6.12 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/f7415e60c25a6108cd7955a20b2e66b6251ffe02
- https://git.kernel.org/stable/c/24256415d18695b46da06c93135f5b51c548b950
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.