{
"threat_severity" : "Moderate",
"public_date" : "2024-06-19T00:00:00Z",
"bugzilla" : {
"description" : "kernel: net: bridge: mst: fix vlan use-after-free",
"id" : "2293276",
"url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2293276"
},
"cvss3" : {
"cvss3_base_score" : "6.6",
"cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"status" : "verified"
},
"cwe" : "CWE-416",
"details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: bridge: mst: fix vlan use-after-free\nsyzbot reported a suspicious rcu usage[1] in bridge's mst code. While\nfixing it I noticed that nothing prevents a vlan to be freed while\nwalking the list from the same path (br forward delay timer). Fix the rcu\nusage and also make sure we are not accessing freed memory by making\nbr_mst_vlan_set_state use rcu read lock.\n[1]\nWARNING: suspicious RCU usage\n6.9.0-rc6-syzkaller #0 Not tainted\n-----------------------------\nnet/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!\n...\nstack backtrace:\nCPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\nlockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\nnbp_vlan_group net/bridge/br_private.h:1599 [inline]\nbr_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105\nbr_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47\nbr_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88\ncall_timer_fn+0x18e/0x650 kernel/time/timer.c:1793\nexpire_timers kernel/time/timer.c:1844 [inline]\n__run_timers kernel/time/timer.c:2418 [inline]\n__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429\nrun_timer_base kernel/time/timer.c:2438 [inline]\nrun_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448\n__do_softirq+0x2c6/0x980 kernel/softirq.c:554\ninvoke_softirq kernel/softirq.c:428 [inline]\n__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633\nirq_exit_rcu+0x9/0x30 kernel/softirq.c:645\ninstr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\nsysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n\n\nasm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\nRIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758\nCode: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25\nRSP: 0018:ffffc90013657100 EFLAGS: 00000206\nRAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001\nRDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60\nRBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0\nR10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28\nR13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246", "A use-after-free flaw was found in net/bridge/br_mst.c in the Linux kernel. This issue may lead to compromised Confidentiality and Integrity, and can crash." ],
"statement" : "Red Hat has determined this vulnerability to be moderate impact, as it is triggered within the bridge vlan processing context, a network-layer operation that mainly affects how vlan states are updated and does not directly/implicitly expose sensitive user-space memory, limiting the confidentiality impact. This processing context does not provide direct control over arbitrary memory writes, limiting the impact to integrity. The most likely result is a kernel panic or crash.",
"affected_release" : [ {
"product_name" : "Red Hat Enterprise Linux 8",
"release_date" : "2024-08-08T00:00:00Z",
"advisory" : "RHSA-2024:5102",
"cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
"package" : "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10"
}, {
"product_name" : "Red Hat Enterprise Linux 8",
"release_date" : "2024-08-08T00:00:00Z",
"advisory" : "RHSA-2024:5101",
"cpe" : "cpe:/o:redhat:enterprise_linux:8",
"package" : "kernel-0:4.18.0-553.16.1.el8_10"
}, {
"product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
"release_date" : "2024-09-03T00:00:00Z",
"advisory" : "RHSA-2024:6206",
"cpe" : "cpe:/o:redhat:rhel_eus:8.8",
"package" : "kernel-0:4.18.0-477.70.1.el8_8"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"release_date" : "2024-09-11T00:00:00Z",
"advisory" : "RHSA-2024:6567",
"cpe" : "cpe:/a:redhat:enterprise_linux:9",
"package" : "kernel-0:5.14.0-427.35.1.el9_4"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"release_date" : "2024-09-11T00:00:00Z",
"advisory" : "RHSA-2024:6567",
"cpe" : "cpe:/o:redhat:enterprise_linux:9",
"package" : "kernel-0:5.14.0-427.35.1.el9_4"
}, {
"product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
"release_date" : "2024-10-02T00:00:00Z",
"advisory" : "RHSA-2024:7489",
"cpe" : "cpe:/a:redhat:rhel_eus:9.2",
"package" : "kernel-0:5.14.0-284.86.1.el9_2"
}, {
"product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
"release_date" : "2024-10-02T00:00:00Z",
"advisory" : "RHSA-2024:7490",
"cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv",
"package" : "kernel-rt-0:5.14.0-284.86.1.rt14.371.el9_2"
} ],
"package_state" : [ {
"product_name" : "Red Hat Enterprise Linux 6",
"fix_state" : "Out of support scope",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:6"
}, {
"product_name" : "Red Hat Enterprise Linux 7",
"fix_state" : "Out of support scope",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:7"
}, {
"product_name" : "Red Hat Enterprise Linux 7",
"fix_state" : "Out of support scope",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:7"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"fix_state" : "Affected",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:9"
} ],
"references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-36979\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36979\nhttps://lore.kernel.org/linux-cve-announce/2024061945-CVE-2024-36979-b4a6@gregkh/T" ],
"name" : "CVE-2024-36979",
"csaw" : false
}