DEBIAN-CVE-2024-35899

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/DEBIAN-CVE-2024-35899

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-35899.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2024-35899

Upstream

CVE-2024-35899

Published

2024-05-19T09:15:10Z

Modified

2025-09-18T06:28:18.791672Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: flush pending destroy work before exitnet release Similar to 2c9f0293280e ("netfilter: nftables: flush pending destroy work before netlink notifier") to address a race between exitnet and the destroy workqueue. The trace below shows an element to be released via destroy workqueue while exitnet path (triggered via module removal) has already released the set that is used in such transaction. [ 1360.547789] BUG: KASAN: slab-use-after-free in nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465 [ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359 [ 1360.547882] Workqueue: events nftablestransdestroywork [nftables] [ 1360.547984] Call Trace: [ 1360.547991] <TASK> [ 1360.547998] dumpstacklvl+0x53/0x70 [ 1360.548014] printreport+0xc4/0x610 [ 1360.548026] ? virtaddrvalid+0xba/0x160 [ 1360.548040] ? _pfxrawspinlockirqsave+0x10/0x10 [ 1360.548054] ? nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.548176] kasanreport+0xae/0xe0 [ 1360.548189] ? nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.548312] nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.548447] ? pfxnftablestransdestroywork+0x10/0x10 [nftables] [ 1360.548577] ? rawspinunlockirq+0x18/0x30 [ 1360.548591] processonework+0x2f1/0x670 [ 1360.548610] workerthread+0x4d3/0x760 [ 1360.548627] ? _pfxworkerthread+0x10/0x10 [ 1360.548640] kthread+0x16b/0x1b0 [ 1360.548653] ? _pfxkthread+0x10/0x10 [ 1360.548665] retfromfork+0x2f/0x50 [ 1360.548679] ? _pfxkthread+0x10/0x10 [ 1360.548690] retfromforkasm+0x1a/0x30 [ 1360.548707] </TASK> [ 1360.548719] Allocated by task 192061: [ 1360.548726] kasansavestack+0x20/0x40 [ 1360.548739] kasansavetrack+0x14/0x30 [ 1360.548750] _kasankmalloc+0x8f/0xa0 [ 1360.548760] _kmallocnode+0x1f1/0x450 [ 1360.548771] nftablesnewset+0x10c7/0x1b50 [nftables] [ 1360.548883] nfnetlinkrcvbatch+0xbc4/0xdc0 [nfnetlink] [ 1360.548909] nfnetlinkrcv+0x1a8/0x1e0 [nfnetlink] [ 1360.548927] netlinkunicast+0x367/0x4f0 [ 1360.548935] netlinksendmsg+0x34b/0x610 [ 1360.548944] _syssendmsg+0x4d4/0x510 [ 1360.548953] syssendmsg+0xc9/0x120 [ 1360.548961] _syssendmsg+0xbe/0x140 [ 1360.548971] dosyscall64+0x55/0x120 [ 1360.548982] entrySYSCALL64afterhwframe+0x55/0x5d [ 1360.548994] Freed by task 192222: [ 1360.548999] kasansavestack+0x20/0x40 [ 1360.549009] kasansavetrack+0x14/0x30 [ 1360.549019] kasansavefreeinfo+0x3b/0x60 [ 1360.549028] poisonslabobject+0x100/0x180 [ 1360.549036] _kasanslabfree+0x14/0x30 [ 1360.549042] kfree+0xb6/0x260 [ 1360.549049] _nftreleasetable+0x473/0x6a0 [nftables] [ 1360.549131] nftablesexitnet+0x170/0x240 [nftables] [ 1360.549221] opsexitlist+0x50/0xa0 [ 1360.549229] freeexitlist+0x101/0x140 [ 1360.549236] unregisterpernetoperations+0x107/0x160 [ 1360.549245] unregisterpernetsubsys+0x1c/0x30 [ 1360.549254] nftablesmoduleexit+0x43/0x80 [nftables] [ 1360.549345] _dosysdeletemodule+0x253/0x370 [ 1360.549352] dosyscall64+0x55/0x120 [ 1360.549360] entrySYSCALL64afterhwframe+0x55/0x5d (gdb) list *nftreleasetable+0x473 0x1e033 is in _nftreleasetable (net/netfilter/nftablesapi.c:11354). 11349 listforeachentrysafe(flowtable, nf, &table->flowtables, list) { 11350 listdel(&flowtable->list); 11351 nftusedec(&table->use); 11352 nftablesflowtabledestroy(flowtable); 11353 } 11354 listforeachentrysafe(set, ns, &table->sets, list) { 11355 listdel(&set->list); 11356 nftusedec(&table->use); 11357 if (set->flags & (NFTSETMAP | NFTSETOBJECT)) 11358 nftmap_deactivat ---truncated---

References

https://security-tracker.debian.org/tracker/CVE-2024-35899

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.216-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

5.10.148-1

5.10.149-1

5.10.149-2

5.10.158-1

5.10.158-2

5.10.162-1

5.10.178-1

5.10.178-2

5.10.178-3

5.10.179-1

5.10.179-2

5.10.179-3

5.10.179-4

5.10.179-5

5.10.191-1

5.10.197-1

5.10.205-1

5.10.205-2

5.10.209-1

5.10.209-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.85-1

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.8.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.8.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}