{ "threat_severity" : "Moderate", "public_date" : "2024-11-07T00:00:00Z", "bugzilla" : { "description" : "kernel: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().", "id" : "2324313", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2324313" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().\nMartin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().\n\"\"\"\nWe are seeing a use-after-free from a bpf prog attached to\ntrace_tcp_retransmit_synack. The program passes the req->sk to the\nbpf_sk_storage_get_tracing kernel helper which does check for null\nbefore using it.\n\"\"\"\nThe commit 83fccfc3940c (\"inet: fix potential deadlock in\nreqsk_queue_unlink()\") added timer_pending() in reqsk_queue_unlink() not\nto call del_timer_sync() from reqsk_timer_handler(), but it introduced a\nsmall race window.\nBefore the timer is called, expire_timers() calls detach_timer(timer, true)\nto clear timer->entry.pprev and marks it as not pending.\nIf reqsk_queue_unlink() checks timer_pending() just after expire_timers()\ncalls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will\ncontinue running and send multiple SYN+ACKs until it expires.\nThe reported UAF could happen if req->sk is close()d earlier than the timer\nexpiration, which is 63s by default.\nThe scenario would be\n1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),\nbut del_timer_sync() is missed\n2. reqsk timer is executed and scheduled again\n3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but\nreqsk timer still has another one, and inet_csk_accept() does not\nclear req->sk for non-TFO sockets\n4. sk is close()d\n5. reqsk timer is executed again, and BPF touches req->sk\nLet's not use timer_pending() by passing the caller context to\n__inet_csk_reqsk_queue_drop().\nNote that reqsk timer is pinned, so the issue does not happen in most\nuse cases. [1]\n[0]\nBUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0\nUse-after-free read at 0x00000000a891fb3a (in kfence-#1):\nbpf_sk_storage_get_tracing+0x2e/0x1b0\nbpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda\nbpf_trace_run2+0x4c/0xc0\ntcp_rtx_synack+0xf9/0x100\nreqsk_timer_handler+0xda/0x3d0\nrun_timer_softirq+0x292/0x8a0\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\nintel_idle_irq+0x5a/0xa0\ncpuidle_enter_state+0x94/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\nkfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6\nallocated by task 0 on cpu 9 at 260507.901592s:\nsk_prot_alloc+0x35/0x140\nsk_clone_lock+0x1f/0x3f0\ninet_csk_clone_lock+0x15/0x160\ntcp_create_openreq_child+0x1f/0x410\ntcp_v6_syn_recv_sock+0x1da/0x700\ntcp_check_req+0x1fb/0x510\ntcp_v6_rcv+0x98b/0x1420\nipv6_list_rcv+0x2258/0x26e0\nnapi_complete_done+0x5b1/0x2990\nmlx5e_napi_poll+0x2ae/0x8d0\nnet_rx_action+0x13e/0x590\nirq_exit_rcu+0xf5/0x320\ncommon_interrupt+0x80/0x90\nasm_common_interrupt+0x22/0x40\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\nfreed by task 0 on cpu 9 at 260507.927527s:\nrcu_core_si+0x4ff/0xf10\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb", "A use-after-free (UAF) vulnerability was found and fixed in the Linux kernel's TCP subsystem related to request socket (reqsk) timers during handshake handling. This issue stems from a race condition caused by relying on `timer_pending()` in `reqsk_queue_unlink()`. This could result in the timer continuing to run after the socket (`req->sk`) is freed, allowing BPF programs to access invalid memory." ], "statement" : "This vulnerability is classified as moderate severity rather than important because the issue primarily affects a narrow set of conditions, notably when BPF programs are involved in tracing TCP retransmissions. In most scenarios, the reqsk timer is pinned and the race condition is unlikely to be triggered. Additionally, the problem only occurs if the request socket (`req->sk`) is closed while the timer is still pending, which is an uncommon sequence of events. While the potential for a use-after-free (UAF) exists, it requires specific timing and conditions to exploit, limiting its overall risk and impact on typical systems.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-21T00:00:00Z", "advisory" : "RHSA-2025:11456", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.63.1.rt7.404.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-21T00:00:00Z", "advisory" : "RHSA-2025:11455", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.63.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-01-22T00:00:00Z", "advisory" : "RHSA-2025:0578", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.22.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-01-22T00:00:00Z", "advisory" : "RHSA-2025:0578", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.22.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-02-19T00:00:00Z", "advisory" : "RHSA-2025:1658", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.55.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50154\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50154\nhttps://lore.kernel.org/linux-cve-announce/2024110745-CVE-2024-50154-0259@gregkh/T" ], "name" : "CVE-2024-50154", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }