CVE-2024-53140

Summary

In the Linux kernel, the following vulnerability has been resolved:

netlink: terminate outstanding dump on socket close

Netlink supports iterative dumping of data. It provides the families the following ops:

  • start - (optional) kicks off the dumping process
  • dump - actual dump helper, keeps getting called until it returns 0
  • done - (optional) pairs with .start, can be used for cleanup The whole process is asynchronous and the repeated calls to .dump don't actually happen in a tight loop, but rather are triggered in response to recvmsg() on the socket.

This gives the user full control over the dump, but also means that the user can close the socket without getting to the end of the dump. To make sure .start is always paired with .done we check if there is an ongoing dump before freeing the socket, and if so call .done.

The complication is that sockets can get freed from BH and .done is allowed to sleep. So we use a workqueue to defer the call, when needed.

Unfortunately this does not work correctly. What we defer is not the cleanup but rather releasing a reference on the socket. We have no guarantee that we own the last reference, if someone else holds the socket they may release it in BH and we're back to square one.

The whole dance, however, appears to be unnecessary. Only the user can interact with dumps, so we can clean up when socket is closed. And close always happens in process context. Some async code may still access the socket after close, queue notification skbs to it etc. but no dumps can start, end or otherwise make progress.

Delete the workqueue and flush the dump state directly from the release handler. Note that further cleanup is possible in -next, for instance we now always call .done before releasing the main module reference, so dump doesn't have to take a reference of its own.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxed5d7788a934a4b6d6d025e948ed4da496b4f12e < 114a61d8d94ae3a43b82446cf737fd757021b834affected
LinuxLinuxed5d7788a934a4b6d6d025e948ed4da496b4f12e < 598c956b62699c3753929602560d8df322e60559affected
LinuxLinuxed5d7788a934a4b6d6d025e948ed4da496b4f12e < 6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4affected
LinuxLinuxed5d7788a934a4b6d6d025e948ed4da496b4f12e < d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603affected
LinuxLinuxed5d7788a934a4b6d6d025e948ed4da496b4f12e < 4e87a52133284afbd40fb522dbf96e258af52a98affected
LinuxLinuxed5d7788a934a4b6d6d025e948ed4da496b4f12e < bbc769d2fa1b8b368c5fbe013b5b096afa3c05caaffected
LinuxLinuxed5d7788a934a4b6d6d025e948ed4da496b4f12e < 176c41b3ca9281a9736b67c6121b03dbf0c8c08faffected
LinuxLinuxed5d7788a934a4b6d6d025e948ed4da496b4f12e < 1904fb9ebf911441f90a68e96b22aa73e4410505affected
LinuxLinuxbaaf0c65bc8ea9c7a404b09bc8cc3b8a1e4f18dfaffected
LinuxLinux25d9b4bb64ea964769087fc5ae09aee9c838d759affected
LinuxLinux4.4.38 < 4.5affected
LinuxLinux4.8.14 < 4.9affected
LinuxLinux4.9affected
LinuxLinux0 < 4.9unaffected
LinuxLinux4.19.325 <= 4.19.*unaffected
LinuxLinux5.4.287 <= 5.4.*unaffected
LinuxLinux5.10.231 <= 5.10.*unaffected
LinuxLinux5.15.174 <= 5.15.*unaffected
LinuxLinux6.1.119 <= 6.1.*unaffected
LinuxLinux6.6.63 <= 6.6.*unaffected
LinuxLinux6.11.10 <= 6.11.*unaffected
LinuxLinux6.12 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References