{
  "threat_severity" : "Moderate",
  "public_date" : "2024-12-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: tipc: Fix use-after-free of kernel socket in cleanup_bearer().",
    "id" : "2334562",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2334562"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntipc: Fix use-after-free of kernel socket in cleanup_bearer().\nsyzkaller reported a use-after-free of UDP kernel socket\nin cleanup_bearer() without repro. [0][1]\nWhen bearer_disable() calls tipc_udp_disable(), cleanup\nof the UDP kernel socket is deferred by work calling\ncleanup_bearer().\ntipc_exit_net() waits for such works to finish by checking\ntipc_net(net)->wq_count.  However, the work decrements the\ncount too early before releasing the kernel socket,\nunblocking cleanup_net() and resulting in use-after-free.\nLet's move the decrement after releasing the socket in\ncleanup_bearer().\n[0]:\nref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at\nsk_alloc+0x438/0x608\ninet_create+0x4c8/0xcb0\n__sock_create+0x350/0x6b8\nsock_create_kern+0x58/0x78\nudp_sock_create4+0x68/0x398\nudp_sock_create+0x88/0xc8\ntipc_udp_enable+0x5e8/0x848\n__tipc_nl_bearer_enable+0x84c/0xed8\ntipc_nl_bearer_enable+0x38/0x60\ngenl_family_rcv_msg_doit+0x170/0x248\ngenl_rcv_msg+0x400/0x5b0\nnetlink_rcv_skb+0x1dc/0x398\ngenl_rcv+0x44/0x68\nnetlink_unicast+0x678/0x8b0\nnetlink_sendmsg+0x5e4/0x898\n____sys_sendmsg+0x500/0x830\n[1]:\nBUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline]\nBUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979\nudp_hashslot include/net/udp.h:85 [inline]\nudp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979\nsk_common_release+0xaf/0x3f0 net/core/sock.c:3820\ninet_release+0x1e0/0x260 net/ipv4/af_inet.c:437\ninet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489\n__sock_release net/socket.c:658 [inline]\nsock_release+0xa0/0x210 net/socket.c:686\ncleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819\nprocess_one_work kernel/workqueue.c:3229 [inline]\nprocess_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310\nworker_thread+0xf6c/0x1510 kernel/workqueue.c:3391\nkthread+0x531/0x6b0 kernel/kthread.c:389\nret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244\nUninit was created at:\nslab_free_hook mm/slub.c:2269 [inline]\nslab_free mm/slub.c:4580 [inline]\nkmem_cache_free+0x207/0xc40 mm/slub.c:4682\nnet_free net/core/net_namespace.c:454 [inline]\ncleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647\nprocess_one_work kernel/workqueue.c:3229 [inline]\nprocess_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310\nworker_thread+0xf6c/0x1510 kernel/workqueue.c:3391\nkthread+0x531/0x6b0 kernel/kthread.c:389\nret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244\nCPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nWorkqueue: events cleanup_bearer" ],
  "statement" : "The bug could happen during closing TIPC connection (for UDP socket only). If TIPC not being used, then not affected. The security impact is limited, because the bug could happen only for specific conditions (kind of race condition during shutdown in Inter-process Communications).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-56642\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56642\nhttps://lore.kernel.org/linux-cve-announce/2024122737-CVE-2024-56642-71ee@gregkh/T" ],
  "name" : "CVE-2024-56642",
  "mitigation" : {
    "value" : "https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-tipc_configuring-and-managing-networking#loading-the-tipc-module-when-the-system-boots_getting-started-with-tipc",
    "lang" : "en:us"
  },
  "csaw" : false
}