Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix UAF when resolving a clash KASAN reports the following UAF: BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] Read of size 1 at addr ffff888c07603600 by task handler130/6469 Call Trace: <IRQ> dump_stack_lvl+0x48/0x70 print_address_description.constprop.0+0x33/0x3d0 print_report+0xc0/0x2b0 kasan_report+0xd0/0x120 __asan_load1+0x6c/0x80 tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] tcf_ct_act+0x886/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 __irq_exit_rcu+0x82/0xc0 irq_exit_rcu+0xe/0x20 common_interrupt+0xa1/0xb0 </IRQ> <TASK> asm_common_interrupt+0x27/0x40 Allocated by task 6469: kasan_save_stack+0x38/0x70 kasan_set_track+0x25/0x40 kasan_save_alloc_info+0x1e/0x40 __kasan_krealloc+0x133/0x190 krealloc+0xaa/0x130 nf_ct_ext_add+0xed/0x230 [nf_conntrack] tcf_ct_act+0x1095/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 Freed by task 6469: kasan_save_stack+0x38/0x70 kasan_set_track+0x25/0x40 kasan_save_free_info+0x2b/0x60 ____kasan_slab_free+0x180/0x1f0 __kasan_slab_free+0x12/0x30 slab_free_freelist_hook+0xd2/0x1a0 __kmem_cache_free+0x1a2/0x2f0 kfree+0x78/0x120 nf_conntrack_free+0x74/0x130 [nf_conntrack] nf_ct_destroy+0xb2/0x140 [nf_conntrack] __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack] nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack] __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack] tcf_ct_act+0x12ad/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 The ct may be dropped if a clash has been resolved but is still passed to the tcf_ct_flow_table_process_conn function for further usage. This issue can be fixed by retrieving ct from skb again after confirming conntrack.

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  7.0 HIGH

Vector:  CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git.kernel.org/stable/c/26488172b0292bed837b95a006a3f3431d1898c3	Patch
https://git.kernel.org/stable/c/2b4d68df3f57ea746c430941ba9c03d7d8b5a23f	Patch
https://git.kernel.org/stable/c/4e71b10a100861fb27d9c5755dfd68f615629fae	Patch
https://git.kernel.org/stable/c/799a34901b634008db4a7ece3900e2b971d4c932	Patch
https://git.kernel.org/stable/c/b81a523d54ea689414f67c9fb81a5b917a41ed55	Patch
https://git.kernel.org/stable/c/ef472cc6693b16b202a916482df72f35d94bd69e	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-416	Use After Free	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Initial Analysis by NIST 9/10/2024 1:31:47 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		Record truncated, showing 500 of 651 characters. View Entire Change Record OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.10.43 up to (excluding) 5.10.222 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.12.10 up to (excluding) 5.13 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.13 up to (excluding) 5.15.163 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.100 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions
Added	CVSS V3.1		NIST AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Added	CWE		NIST CWE-416
Changed	Reference Type	https://git.kernel.org/stable/c/26488172b0292bed837b95a006a3f3431d1898c3 No Types Assigned	https://git.kernel.org/stable/c/26488172b0292bed837b95a006a3f3431d1898c3 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/2b4d68df3f57ea746c430941ba9c03d7d8b5a23f No Types Assigned	https://git.kernel.org/stable/c/2b4d68df3f57ea746c430941ba9c03d7d8b5a23f Patch
Changed	Reference Type	https://git.kernel.org/stable/c/4e71b10a100861fb27d9c5755dfd68f615629fae No Types Assigned	https://git.kernel.org/stable/c/4e71b10a100861fb27d9c5755dfd68f615629fae Patch
Changed	Reference Type	https://git.kernel.org/stable/c/799a34901b634008db4a7ece3900e2b971d4c932 No Types Assigned	https://git.kernel.org/stable/c/799a34901b634008db4a7ece3900e2b971d4c932 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/b81a523d54ea689414f67c9fb81a5b917a41ed55 No Types Assigned	https://git.kernel.org/stable/c/b81a523d54ea689414f67c9fb81a5b917a41ed55 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/ef472cc6693b16b202a916482df72f35d94bd69e No Types Assigned	https://git.kernel.org/stable/c/ef472cc6693b16b202a916482df72f35d94bd69e Patch

New CVE Received by NIST 7/29/2024 11:15:12 AM

Action	Type	Old Value	New Value
Added	Description		Record truncated, showing 500 of 3057 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix UAF when resolving a clash KASAN reports the following UAF: BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] Read of size 1 at addr ffff888c07603600 by task handler130/6469 Call Trace: <IRQ> dump_stack_lvl+0x48/0x70 print_address_description.constprop.0+0x33/0x3d0 print_report+0xc0/0x2b0 kasan_report+0xd0/0x120 __asan_load1+0x6c/0x80 tcf_ct_flow_table_proc
Added	Reference		kernel.org https://git.kernel.org/stable/c/26488172b0292bed837b95a006a3f3431d1898c3 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/2b4d68df3f57ea746c430941ba9c03d7d8b5a23f [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/4e71b10a100861fb27d9c5755dfd68f615629fae [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/799a34901b634008db4a7ece3900e2b971d4c932 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/b81a523d54ea689414f67c9fb81a5b917a41ed55 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/ef472cc6693b16b202a916482df72f35d94bd69e [No types assigned]