In the Linux kernel, the following vulnerability has been resolved:
tls: fix missing memory barrier in tls_init
In tlsinit(), a write memory barrier is missing, and store-store reordering may cause NULL dereference in tls{setsockopt,getsockopt}.
CPU0 CPU1 ----- ----- // In tlsinit() // In tlsctxcreate() ctx = kzalloc() ctx->skproto = READONCE(sk->skprot) -(1)
// In updateskprot() WRITEONCE(sk->skprot, tls_prots) -(2)
// In sock_common_setsockopt()
READ_ONCE(sk->sk_prot)->setsockopt()
// In tls_{setsockopt,getsockopt}()
ctx->sk_proto->setsockopt() -(3)
In the above scenario, when (1) and (2) are reordered, (3) can observe the NULL value of ctx->sk_proto, causing NULL dereference.
To fix it, we rely on rcuassignpointer() which implies the release barrier semantic. By moving rcuassignpointer() after ctx->skproto is initialized, we can ensure that ctx->skproto are visible when changing sk->sk_prot.
[ { "deprecated": false, "digest": { "line_hashes": [ "253993795044722248310849727273987245451", "221518932965927699011086044589313951588", "203781693341101393254557754082559953642", "283718567885345170255228522986646286152", "218813271005998399166028136490044831428", "68538885178052111106596992612763138690" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@91e61dd7a0af660408e87372d8330ceb218be302", "id": "CVE-2024-36489-02141a21", "target": { "file": "net/tls/tls_main.c" }, "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 325.0, "function_hash": "137996608799977645870001915600525283855" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab67c2fd3d070a21914d0c31319d3858ab4e199c", "id": "CVE-2024-36489-12a27928", "target": { "file": "net/tls/tls_main.c", "function": "tls_ctx_create" }, "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 325.0, "function_hash": "137996608799977645870001915600525283855" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d72e126e9a36d3d33889829df8fc90100bb0e071", "id": "CVE-2024-36489-16c17960", "target": { "file": "net/tls/tls_main.c", "function": "tls_ctx_create" }, "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "253993795044722248310849727273987245451", "221518932965927699011086044589313951588", "203781693341101393254557754082559953642", "283718567885345170255228522986646286152", "218813271005998399166028136490044831428", "68538885178052111106596992612763138690" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@335c8f1566d8e44c384d16b450a18554896d4e8b", "id": "CVE-2024-36489-3f6544e4", "target": { "file": "net/tls/tls_main.c" }, "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 325.0, "function_hash": "137996608799977645870001915600525283855" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ef21007a7b581c7fe64d5a10c320880a033c837b", "id": "CVE-2024-36489-4059c85a", "target": { "file": "net/tls/tls_main.c", "function": "tls_ctx_create" }, "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "253993795044722248310849727273987245451", "221518932965927699011086044589313951588", "203781693341101393254557754082559953642", "283718567885345170255228522986646286152", "218813271005998399166028136490044831428", "68538885178052111106596992612763138690" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab67c2fd3d070a21914d0c31319d3858ab4e199c", "id": "CVE-2024-36489-4134cd06", "target": { "file": "net/tls/tls_main.c" }, "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "253993795044722248310849727273987245451", "221518932965927699011086044589313951588", "203781693341101393254557754082559953642", "283718567885345170255228522986646286152", "218813271005998399166028136490044831428", "68538885178052111106596992612763138690" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2c260a24cf1c4d30ea3646124f766ee46169280b", "id": "CVE-2024-36489-87be88ab", "target": { "file": "net/tls/tls_main.c" }, "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 325.0, "function_hash": "137996608799977645870001915600525283855" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@335c8f1566d8e44c384d16b450a18554896d4e8b", "id": "CVE-2024-36489-a39aff1f", "target": { "file": "net/tls/tls_main.c", "function": "tls_ctx_create" }, "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 325.0, "function_hash": "137996608799977645870001915600525283855" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@91e61dd7a0af660408e87372d8330ceb218be302", "id": "CVE-2024-36489-a980883a", "target": { "file": "net/tls/tls_main.c", "function": "tls_ctx_create" }, "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "253993795044722248310849727273987245451", "221518932965927699011086044589313951588", "203781693341101393254557754082559953642", "283718567885345170255228522986646286152", "218813271005998399166028136490044831428", "68538885178052111106596992612763138690" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d72e126e9a36d3d33889829df8fc90100bb0e071", "id": "CVE-2024-36489-af9b7475", "target": { "file": "net/tls/tls_main.c" }, "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 325.0, "function_hash": "137996608799977645870001915600525283855" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2c260a24cf1c4d30ea3646124f766ee46169280b", "id": "CVE-2024-36489-b9970cc9", "target": { "file": "net/tls/tls_main.c", "function": "tls_ctx_create" }, "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "253993795044722248310849727273987245451", "221518932965927699011086044589313951588", "203781693341101393254557754082559953642", "283718567885345170255228522986646286152", "218813271005998399166028136490044831428", "68538885178052111106596992612763138690" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ef21007a7b581c7fe64d5a10c320880a033c837b", "id": "CVE-2024-36489-f00bea06", "target": { "file": "net/tls/tls_main.c" }, "signature_version": "v1" } ]