CVE-2024-36971
net: fix __dst_negative_advice() race
In short
A race condition in the Linux kernel's network code can cause a program to access memory that has already been freed (use-after-free). This happens when the network cache is cleared in the wrong order, potentially crashing the system or allowing attackers to exploit it.
Technical detail
CVE-2024-36971 involves a use-after-free (CWE-416) vulnerability in __dst_negative_advice() where improper RCU synchronization allows sk->dst_cache to be accessed after being released. The vulnerability requires local access and occurs when UDP sockets trigger the flawed cache clearing sequence, where dst_release() is called before sk_dst_cache is cleared, violating RCU ordering semantics.
Summary generated and translated by AI from the official description.
In the Linux kernel, the following vulnerability has been resolved:
net: fix __dst_negative_advice() race
__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.
RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).
Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.
Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.
Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.
Many thanks to Clement Lecigne for tracking this issue.
This old bug became visible after the blamed commit, using UDP sockets.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Linux · Linuxpublic PoCs found — 1
githubgithub.com/M4G1XX/CVE-2024-36971★ 1⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4https://git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59ehttps://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a85a50fchttps://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cfhttps://lists.debian.org/debian-lts-announce/2024/06/msg00020.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36971