CVE-2024-26793

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26793
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26793.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26793
Related
Published
2024-04-04T09:15:08Z
Modified
2024-11-05T10:49:58.493872Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

gtp: fix use-after-free and null-ptr-deref in gtp_newlink()

The gtplinkops operations structure for the subsystem must be registered after registering the gtpnetops pernet operations structure.

Syzkaller hit 'general protection fault in gtpgenldump_pdp' bug:

[ 1010.702740] gtp: GTP module unloaded [ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI [ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1 [ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 [ 1010.715908] RIP: 0010:gtpnewlink+0x4d7/0x9c0 [gtp] [ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00 [ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203 [ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000 [ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282 [ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000 [ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80 [ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400 [ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000 [ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0 [ 1010.715968] PKRU: 55555554 [ 1010.715972] Call Trace: [ 1010.715985] ? diebody.cold+0x1a/0x1f [ 1010.715995] ? dieaddr+0x43/0x70 [ 1010.716002] ? excgeneralprotection+0x199/0x2f0 [ 1010.716016] ? asmexcgeneralprotection+0x1e/0x30 [ 1010.716026] ? gtpnewlink+0x4d7/0x9c0 [gtp] [ 1010.716034] ? gtpnetexit+0x150/0x150 [gtp] [ 1010.716042] _rtnlnewlink+0x1063/0x1700 [ 1010.716051] ? rtnlsetlink+0x3c0/0x3c0 [ 1010.716063] ? isbpftextaddress+0xc0/0x1f0 [ 1010.716070] ? kerneltextaddress.part.0+0xbb/0xd0 [ 1010.716076] ? _kerneltextaddress+0x56/0xa0 [ 1010.716084] ? unwindgetreturnaddress+0x5a/0xa0 [ 1010.716091] ? createprofcpumask+0x30/0x30 [ 1010.716098] ? archstackwalk+0x9e/0xf0 [ 1010.716106] ? stacktracesave+0x91/0xd0 [ 1010.716113] ? stacktraceconsumeentry+0x170/0x170 [ 1010.716121] ? _lockacquire+0x15c5/0x5380 [ 1010.716139] ? markheldlocks+0x9e/0xe0 [ 1010.716148] ? kmemcachealloctrace+0x35f/0x3c0 [ 1010.716155] ? _rtnlnewlink+0x1700/0x1700 [ 1010.716160] rtnlnewlink+0x69/0xa0 [ 1010.716166] rtnetlinkrcvmsg+0x43b/0xc50 [ 1010.716172] ? rtnlfdbdump+0x9f0/0x9f0 [ 1010.716179] ? lockacquire+0x1fe/0x560 [ 1010.716188] ? netlinkdelivertap+0x12f/0xd50 [ 1010.716196] netlinkrcvskb+0x14d/0x440 [ 1010.716202] ? rtnlfdbdump+0x9f0/0x9f0 [ 1010.716208] ? netlinkack+0xab0/0xab0 [ 1010.716213] ? netlinkdelivertap+0x202/0xd50 [ 1010.716220] ? netlinkdelivertap+0x218/0xd50 [ 1010.716226] ? _virtaddrvalid+0x30b/0x590 [ 1010.716233] netlinkunicast+0x54b/0x800 [ 1010.716240] ? netlinkattachskb+0x870/0x870 [ 1010.716248] ? _checkobjectsize+0x2de/0x3b0 [ 1010.716254] netlinksendmsg+0x938/0xe40 [ 1010.716261] ? netlinkunicast+0x800/0x800 [ 1010.716269] ? _importiovec+0x292/0x510 [ 1010.716276] ? netlinkunicast+0x800/0x800 [ 1010.716284] _socksendmsg+0x159/0x190 [ 1010.716290] syssendmsg+0x712/0x880 [ 1010.716297] ? sockwriteiter+0x3d0/0x3d0 [ 1010.716304] ? ia32sysrecvmmsg+0x270/0x270 [ 1010.716309] ? lockacquire+0x1fe/0x560 [ 1010.716315] ? drainarraylocked+0x90/0x90 [ 1010.716324] syssendmsg+0xf8/0x170 [ 1010.716331] ? sendmsgcopymsghdr+0x170/0x170 [ 1010.716337] ? lockdepinitmap ---truncated---

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.216-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1
5.10.205-1
5.10.205-2
5.10.209-1
5.10.209-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.82-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.7.9-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}