FKIE_CVE-2024-42271

Vulnerability from fkie_nvd - Published: 2024-08-17 09:15 - Updated: 2025-11-03 22:17
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([<0000001e87f03880>] 0x1e87f03880) [452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 [452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 [452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 [452744.124820] [<00000000d5421642>] __fput+0xba/0x268 [452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 [452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 [452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/01437282fd3904810603f3dc98d2cac6b8b6fc84Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/37652fbef9809411cea55ea5fa1a170e299efcd0Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/69620522c48ce8215e5eb55ffbab8cafee8f407dPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/84f40b46787ecb67c7ad08a5bb1376141fa10c01Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8b424c9e44111c5a76f41c6b741f8d4c4179d876Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ac758e1f663fe9bc64f6b47212a2aa18697524f5Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c65f72eec60a34ace031426e04e9aff8e5f04895Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f558120cd709682b739207b48cf7479fd9568431Patch
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.11
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4F8C11A-E708-4EBE-97BC-D7F6041074D6",
              "versionEndExcluding": "4.19.320",
              "versionStartIncluding": "3.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A8961D98-9ACF-4188-BA88-44038B14BC28",
              "versionEndExcluding": "5.4.282",
              "versionStartIncluding": "4.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CCEDF13-293D-4E64-B501-4409D0365AFE",
              "versionEndExcluding": "5.10.224",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4E2B568-3171-41DE-B519-F2B1A3600D94",
              "versionEndExcluding": "5.15.165",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "20DB9042-F89E-4024-B005-ACBBA99CA659",
              "versionEndExcluding": "6.1.104",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6ED8FBDF-48EE-4FEB-8B1A-CFF4FBCB27BF",
              "versionEndExcluding": "6.6.45",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1F9FECDC-6CB8-41E5-B32A-E46776100D9C",
              "versionEndExcluding": "6.10.4",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "8B3CE743-2126-47A3-8B7C-822B502CF119",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/iucv: fix use after free in iucv_sock_close()\n\niucv_sever_path() is called from process context and from bh context.\niucv-\u003epath is used as indicator whether somebody else is taking care of\nsevering the path (or it is already removed / never existed).\nThis needs to be done with atomic compare and swap, otherwise there is a\nsmall window where iucv_sock_close() will try to work with a path that has\nalready been severed and freed by iucv_callback_connrej() called by\niucv_tasklet_fn().\n\nExample:\n[452744.123844] Call Trace:\n[452744.123845] ([\u003c0000001e87f03880\u003e] 0x1e87f03880)\n[452744.123966]  [\u003c00000000d593001e\u003e] iucv_path_sever+0x96/0x138\n[452744.124330]  [\u003c000003ff801ddbca\u003e] iucv_sever_path+0xc2/0xd0 [af_iucv]\n[452744.124336]  [\u003c000003ff801e01b6\u003e] iucv_sock_close+0xa6/0x310 [af_iucv]\n[452744.124341]  [\u003c000003ff801e08cc\u003e] iucv_sock_release+0x3c/0xd0 [af_iucv]\n[452744.124345]  [\u003c00000000d574794e\u003e] __sock_release+0x5e/0xe8\n[452744.124815]  [\u003c00000000d5747a0c\u003e] sock_close+0x34/0x48\n[452744.124820]  [\u003c00000000d5421642\u003e] __fput+0xba/0x268\n[452744.124826]  [\u003c00000000d51b382c\u003e] task_work_run+0xbc/0xf0\n[452744.124832]  [\u003c00000000d5145710\u003e] do_notify_resume+0x88/0x90\n[452744.124841]  [\u003c00000000d5978096\u003e] system_call+0xe2/0x2c8\n[452744.125319] Last Breaking-Event-Address:\n[452744.125321]  [\u003c00000000d5930018\u003e] iucv_path_sever+0x90/0x138\n[452744.125324]\n[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt\n\nNote that bh_lock_sock() is not serializing the tasklet context against\nprocess context, because the check for sock_owned_by_user() and\ncorresponding handling is missing.\n\nIdeas for a future clean-up patch:\nA) Correct usage of bh_lock_sock() in tasklet context, as described in\nRe-enqueue, if needed. This may require adding return values to the\ntasklet functions and thus changes to all users of iucv.\n\nB) Change iucv tasklet into worker and use only lock_sock() in af_iucv."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/iucv: corrige el use after free en iucv_sock_close() iucv_sever_path() se llama desde el contexto del proceso y desde el contexto bh. iucv-\u0026gt;path se utiliza como indicador de si alguien m\u00e1s se est\u00e1 encargando de cortar la ruta (o si ya se elimin\u00f3 o nunca existi\u00f3). Esto debe hacerse con comparaci\u00f3n e intercambio at\u00f3mico; de lo contrario, hay una peque\u00f1a ventana donde iucv_sock_close() intentar\u00e1 trabajar con una ruta que ya ha sido cortada y liberada por iucv_callback_connrej() llamada por iucv_tasklet_fn(). Ejemplo: [452744.123844] Seguimiento de llamadas: [452744.123845] ([\u0026lt;0000001e87f03880\u0026gt;] 0x1e87f03880) [452744.123966] [\u0026lt;00000000d593001e\u0026gt;] iucv_path_sever+0x96/0x13 8 [452744.124330] [\u0026lt;000003ff801ddbca\u0026gt;] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336 ] [\u0026lt;000003ff801e01b6\u0026gt;] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [\u0026lt;000003ff801e08cc\u0026gt;] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] 000000d574794e\u0026gt;] __sock_release+0x5e/0xe8 [452744.124815] [\u0026lt;00000000d5747a0c\u0026gt; ] sock_close+0x34/0x48 [452744.124820] [\u0026lt;00000000d5421642\u0026gt;] __fput+0xba/0x268 [452744.124826] [\u0026lt;00000000d51b382c\u0026gt;] task_work_run+0xbc/0xf0 [452744.1 24832] [\u0026lt;00000000d5145710\u0026gt;] do_notify_resume+0x88/0x90 [452744.124841] [\u0026lt; 00000000d5978096\u0026gt;] system_call+0xe2/0x2c8 [452744.125319] \u00daltima direcci\u00f3n del evento de \u00faltima hora: [452744.125321] [\u0026lt;00000000d5930018\u0026gt;] iucv_path_sever+0x90/0x138 [452744.125 324] [452744.125325] P\u00e1nico del kernel: no se sincroniza: excepci\u00f3n fatal en la interrupci\u00f3n. Tenga en cuenta que bh_lock_sock () no serializa el contexto del tasklet con respecto al contexto del proceso, porque falta la verificaci\u00f3n de sock_owned_by_user() y el manejo correspondiente. Ideas para un futuro parche de limpieza: A) Uso correcto de bh_lock_sock() en el contexto del tasklet, como se describe en Volver a poner en cola, si es necesario. Esto puede requerir agregar valores de retorno a las funciones del tasklet y, por lo tanto, cambios para todos los usuarios de iucv. B) Cambie el tasklet iucv a trabajador y use solo lock_sock() en af_iucv."
    }
  ],
  "id": "CVE-2024-42271",
  "lastModified": "2025-11-03T22:17:52.917",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-08-17T09:15:08.307",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/01437282fd3904810603f3dc98d2cac6b8b6fc84"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/37652fbef9809411cea55ea5fa1a170e299efcd0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/69620522c48ce8215e5eb55ffbab8cafee8f407d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/84f40b46787ecb67c7ad08a5bb1376141fa10c01"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/8b424c9e44111c5a76f41c6b741f8d4c4179d876"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ac758e1f663fe9bc64f6b47212a2aa18697524f5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/c65f72eec60a34ace031426e04e9aff8e5f04895"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f558120cd709682b739207b48cf7479fd9568431"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.