CVE-2024-50059
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition
In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev function, then &sndev->check_link_status_work is bound with check_link_status_work. switchtec_ntb_link_notification may be called to start the work.
If we remove the module which will call switchtec_ntb_remove to make cleanup, it will free sndev through kfree(sndev), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| check_link_status_work
switchtec_ntb_remove | kfree(sndev); | | if (sndev->link_force_down) | // use sndev
Fix it by ensuring that the work is canceled before proceeding with the cleanup in switchtec_ntb_remove.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d04be142b8b61ffb3c9cc5c6d1abda8fc59a16c9 < 5126d8f5567f49b52e21fca320eaa97977055099 | affected |
| Linux | Linux | d04be142b8b61ffb3c9cc5c6d1abda8fc59a16c9 < b650189687822b705711f0567a65a164a314d8df | affected |
| Linux | Linux | d04be142b8b61ffb3c9cc5c6d1abda8fc59a16c9 < 92728fceefdaa2a0a3aae675f86193b006eeaa43 | affected |
| Linux | Linux | d04be142b8b61ffb3c9cc5c6d1abda8fc59a16c9 < 3ae45be8492460a35b5aebf6acac1f1d32708946 | affected |
| Linux | Linux | d04be142b8b61ffb3c9cc5c6d1abda8fc59a16c9 < fa840ba4bd9f3bad7f104e5b32028ee73af8b3dd | affected |
| Linux | Linux | d04be142b8b61ffb3c9cc5c6d1abda8fc59a16c9 < 177925d9c8715a897bb79eca62628862213ba956 | affected |
| Linux | Linux | d04be142b8b61ffb3c9cc5c6d1abda8fc59a16c9 < e51aded92d42784313ba16c12f4f88cc4f973bbb | affected |
| Linux | Linux | 4.16 | affected |
| Linux | Linux | 0 < 4.16 | unaffected |
| Linux | Linux | 5.4.285 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.227 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.168 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.113 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.57 <= 6.6.* | unaffected |
| Linux | Linux | 6.11.4 <= 6.11.* | unaffected |
| Linux | Linux | 6.12 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
References
- https://git.kernel.org/stable/c/5126d8f5567f49b52e21fca320eaa97977055099
- https://git.kernel.org/stable/c/b650189687822b705711f0567a65a164a314d8df
- https://git.kernel.org/stable/c/92728fceefdaa2a0a3aae675f86193b006eeaa43
- https://git.kernel.org/stable/c/3ae45be8492460a35b5aebf6acac1f1d32708946
- https://git.kernel.org/stable/c/fa840ba4bd9f3bad7f104e5b32028ee73af8b3dd
- https://git.kernel.org/stable/c/177925d9c8715a897bb79eca62628862213ba956
- https://git.kernel.org/stable/c/e51aded92d42784313ba16c12f4f88cc4f973bbb
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.