CVE-2024-36979
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-36979
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36979.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-36979
- Downstream
- Related
- Published
- 2024-06-19T13:35:12Z
- Modified
- 2025-10-14T17:32:41.749593Z
- Summary
- net: bridge: mst: fix vlan use-after-free
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: bridge: mst: fix vlan use-after-free
syzbot reported a suspicious rcu usage[1] in bridge's mst code. While fixing it I noticed that nothing prevents a vlan to be freed while walking the list from the same path (br forward delay timer). Fix the rcu usage and also make sure we are not accessing freed memory by making brmstvlansetstate use rcu read lock.
[1] WARNING: suspicious RCU usage 6.9.0-rc6-syzkaller #0 Not tainted
net/bridge/brprivate.h:1599 suspicious rcudereferenceprotected() usage! ... stack backtrace: CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <IRQ> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:114 lockdeprcususpicious+0x221/0x340 kernel/locking/lockdep.c:6712 nbpvlangroup net/bridge/brprivate.h:1599 [inline] brmstsetstate+0x1ea/0x650 net/bridge/brmst.c:105 brsetstate+0x28a/0x7b0 net/bridge/brstp.c:47 brforwarddelaytimerexpired+0x176/0x440 net/bridge/brstptimer.c:88 calltimerfn+0x18e/0x650 kernel/time/timer.c:1793 expiretimers kernel/time/timer.c:1844 [inline] _runtimers kernel/time/timer.c:2418 [inline] _runtimerbase+0x66a/0x8e0 kernel/time/timer.c:2429 runtimerbase kernel/time/timer.c:2438 [inline] runtimersoftirq+0xb7/0x170 kernel/time/timer.c:2448 _dosoftirq+0x2c6/0x980 kernel/softirq.c:554 invokesoftirq kernel/softirq.c:428 [inline] _irqexitrcu+0xf2/0x1c0 kernel/softirq.c:633 irqexitrcu+0x9/0x30 kernel/softirq.c:645 instrsysvecapictimerinterrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvecapictimerinterrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK> asmsysvecapictimerinterrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758 Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25 RSP: 0018:ffffc90013657100 EFLAGS: 00000206 RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001 RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60 RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0 R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28 R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/3a7c1661ae1383364cd6092d851f5e5da64d476b
- https://git.kernel.org/stable/c/4488617e5e995a09abe4d81add5fb165674edb59
- https://git.kernel.org/stable/c/8ca9a750fc711911ef616ceb627d07357b04545e
- https://git.kernel.org/stable/c/a2b01e65d9ba8af2bb086d3b7288ca53a07249ac
- https://git.kernel.org/stable/c/e43dd2b1ec746e105b7db5f9ad6ef14685a615a4
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedec7328b59176227216c461601c6bd0e922232a9bFixed8ca9a750fc711911ef616ceb627d07357b04545e
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedec7328b59176227216c461601c6bd0e922232a9bFixed4488617e5e995a09abe4d81add5fb165674edb59
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedec7328b59176227216c461601c6bd0e922232a9bFixeda2b01e65d9ba8af2bb086d3b7288ca53a07249ac
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedec7328b59176227216c461601c6bd0e922232a9bFixede43dd2b1ec746e105b7db5f9ad6ef14685a615a4
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedec7328b59176227216c461601c6bd0e922232a9bFixed3a7c1661ae1383364cd6092d851f5e5da64d476b
Affected versions
v5.*
v5.17
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.88
v6.1.89
v6.1.9
v6.1.90
v6.1.91
v6.1.92
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.10
v6.8.11
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.8.9
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.2
Database specific
{
"vanir_signatures": [
{
"target": {
"file": "net/bridge/br_mst.c",
"function": "br_mst_set_state"
},
"digest": {
"length": 608.0,
"function_hash": "297628514827120839173709322144747821414"
},
"signature_version": "v1",
"id": "CVE-2024-36979-0338eef3",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4488617e5e995a09abe4d81add5fb165674edb59"
},
{
"target": {
"file": "net/bridge/br_mst.c",
"function": "br_mst_vlan_set_state"
},
"digest": {
"length": 239.0,
"function_hash": "120848122297599345099449419224629595632"
},
"signature_version": "v1",
"id": "CVE-2024-36979-0c549b81",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e43dd2b1ec746e105b7db5f9ad6ef14685a615a4"
},
{
"target": {
"file": "net/bridge/br_mst.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"71176022140547370155011913747541233248",
"184376698003702604387312855315850218504",
"219123152805287180464219943391796070198",
"261687410414894992662115874376691339369",
"244831573663796680975665851836899597073",
"94175952165312595262698497027405285447",
"142406620619170547824942425749738730151",
"334904680732058157893377217011896196820",
"173509564415475636813266632249482876680",
"250651285412069633840883384978830850931",
"218438417915292614536329214301587761986",
"147451121595564141842301968872070203450",
"221130380627314169568382073214867089290",
"2164988580507632230280848869136352030",
"14202092185217239872537969766776975352",
"12932074002210946325125749430447535152",
"5679564940736032072171292419950676823",
"217123714473310868071523085735285592701",
"139892798802216276072815050633485186249",
"169995857073457930910382630006530586206",
"155749952091192976755063131114238950737",
"246823163842205894270231102502902987357"
]
},
"signature_version": "v1",
"id": "CVE-2024-36979-1ca31542",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ca9a750fc711911ef616ceb627d07357b04545e"
},
{
"target": {
"file": "net/bridge/br_mst.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"71176022140547370155011913747541233248",
"184376698003702604387312855315850218504",
"219123152805287180464219943391796070198",
"261687410414894992662115874376691339369",
"244831573663796680975665851836899597073",
"94175952165312595262698497027405285447",
"142406620619170547824942425749738730151",
"334904680732058157893377217011896196820",
"173509564415475636813266632249482876680",
"250651285412069633840883384978830850931",
"218438417915292614536329214301587761986",
"147451121595564141842301968872070203450",
"221130380627314169568382073214867089290",
"2164988580507632230280848869136352030",
"14202092185217239872537969766776975352",
"12932074002210946325125749430447535152",
"5679564940736032072171292419950676823",
"217123714473310868071523085735285592701",
"139892798802216276072815050633485186249",
"169995857073457930910382630006530586206",
"155749952091192976755063131114238950737",
"246823163842205894270231102502902987357"
]
},
"signature_version": "v1",
"id": "CVE-2024-36979-201ba4d7",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3a7c1661ae1383364cd6092d851f5e5da64d476b"
},
{
"target": {
"file": "net/bridge/br_mst.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"71176022140547370155011913747541233248",
"184376698003702604387312855315850218504",
"219123152805287180464219943391796070198",
"261687410414894992662115874376691339369",
"244831573663796680975665851836899597073",
"94175952165312595262698497027405285447",
"142406620619170547824942425749738730151",
"334904680732058157893377217011896196820",
"173509564415475636813266632249482876680",
"250651285412069633840883384978830850931",
"218438417915292614536329214301587761986",
"147451121595564141842301968872070203450",
"221130380627314169568382073214867089290",
"2164988580507632230280848869136352030",
"14202092185217239872537969766776975352",
"12932074002210946325125749430447535152",
"5679564940736032072171292419950676823",
"217123714473310868071523085735285592701",
"139892798802216276072815050633485186249",
"169995857073457930910382630006530586206",
"155749952091192976755063131114238950737",
"246823163842205894270231102502902987357"
]
},
"signature_version": "v1",
"id": "CVE-2024-36979-53937f95",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e43dd2b1ec746e105b7db5f9ad6ef14685a615a4"
},
{
"target": {
"file": "net/bridge/br_mst.c",
"function": "br_mst_set_state"
},
"digest": {
"length": 608.0,
"function_hash": "297628514827120839173709322144747821414"
},
"signature_version": "v1",
"id": "CVE-2024-36979-7d0e8ed8",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2b01e65d9ba8af2bb086d3b7288ca53a07249ac"
},
{
"target": {
"file": "net/bridge/br_mst.c",
"function": "br_mst_vlan_set_state"
},
"digest": {
"length": 239.0,
"function_hash": "120848122297599345099449419224629595632"
},
"signature_version": "v1",
"id": "CVE-2024-36979-8247f3a5",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ca9a750fc711911ef616ceb627d07357b04545e"
},
{
"target": {
"file": "net/bridge/br_mst.c",
"function": "br_mst_set_state"
},
"digest": {
"length": 608.0,
"function_hash": "297628514827120839173709322144747821414"
},
"signature_version": "v1",
"id": "CVE-2024-36979-865d70cc",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ca9a750fc711911ef616ceb627d07357b04545e"
},
{
"target": {
"file": "net/bridge/br_mst.c",
"function": "br_mst_vlan_set_state"
},
"digest": {
"length": 239.0,
"function_hash": "120848122297599345099449419224629595632"
},
"signature_version": "v1",
"id": "CVE-2024-36979-86a117cf",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2b01e65d9ba8af2bb086d3b7288ca53a07249ac"
},
{
"target": {
"file": "net/bridge/br_mst.c",
"function": "br_mst_vlan_set_state"
},
"digest": {
"length": 239.0,
"function_hash": "120848122297599345099449419224629595632"
},
"signature_version": "v1",
"id": "CVE-2024-36979-8a982557",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3a7c1661ae1383364cd6092d851f5e5da64d476b"
},
{
"target": {
"file": "net/bridge/br_mst.c",
"function": "br_mst_vlan_set_state"
},
"digest": {
"length": 239.0,
"function_hash": "120848122297599345099449419224629595632"
},
"signature_version": "v1",
"id": "CVE-2024-36979-8e4d6cac",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4488617e5e995a09abe4d81add5fb165674edb59"
},
{
"target": {
"file": "net/bridge/br_mst.c",
"function": "br_mst_set_state"
},
"digest": {
"length": 608.0,
"function_hash": "297628514827120839173709322144747821414"
},
"signature_version": "v1",
"id": "CVE-2024-36979-9a6bb65c",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e43dd2b1ec746e105b7db5f9ad6ef14685a615a4"
},
{
"target": {
"file": "net/bridge/br_mst.c",
"function": "br_mst_set_state"
},
"digest": {
"length": 608.0,
"function_hash": "297628514827120839173709322144747821414"
},
"signature_version": "v1",
"id": "CVE-2024-36979-b7262ca8",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3a7c1661ae1383364cd6092d851f5e5da64d476b"
},
{
"target": {
"file": "net/bridge/br_mst.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"71176022140547370155011913747541233248",
"184376698003702604387312855315850218504",
"219123152805287180464219943391796070198",
"261687410414894992662115874376691339369",
"244831573663796680975665851836899597073",
"94175952165312595262698497027405285447",
"142406620619170547824942425749738730151",
"334904680732058157893377217011896196820",
"173509564415475636813266632249482876680",
"250651285412069633840883384978830850931",
"218438417915292614536329214301587761986",
"147451121595564141842301968872070203450",
"221130380627314169568382073214867089290",
"2164988580507632230280848869136352030",
"14202092185217239872537969766776975352",
"12932074002210946325125749430447535152",
"5679564940736032072171292419950676823",
"217123714473310868071523085735285592701",
"139892798802216276072815050633485186249",
"169995857073457930910382630006530586206",
"155749952091192976755063131114238950737",
"246823163842205894270231102502902987357"
]
},
"signature_version": "v1",
"id": "CVE-2024-36979-efa9a6a6",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4488617e5e995a09abe4d81add5fb165674edb59"
},
{
"target": {
"file": "net/bridge/br_mst.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"71176022140547370155011913747541233248",
"184376698003702604387312855315850218504",
"219123152805287180464219943391796070198",
"261687410414894992662115874376691339369",
"244831573663796680975665851836899597073",
"94175952165312595262698497027405285447",
"142406620619170547824942425749738730151",
"334904680732058157893377217011896196820",
"173509564415475636813266632249482876680",
"250651285412069633840883384978830850931",
"218438417915292614536329214301587761986",
"147451121595564141842301968872070203450",
"221130380627314169568382073214867089290",
"2164988580507632230280848869136352030",
"14202092185217239872537969766776975352",
"12932074002210946325125749430447535152",
"5679564940736032072171292419950676823",
"217123714473310868071523085735285592701",
"139892798802216276072815050633485186249",
"169995857073457930910382630006530586206",
"155749952091192976755063131114238950737",
"246823163842205894270231102502902987357"
]
},
"signature_version": "v1",
"id": "CVE-2024-36979-fdaaf925",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2b01e65d9ba8af2bb086d3b7288ca53a07249ac"
}
]
}