CVE-2024-36489

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-36489
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36489.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-36489
Downstream
Related
Published
2024-06-21T11:15:10Z
Modified
2025-08-09T20:01:25Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

tls: fix missing memory barrier in tls_init

In tlsinit(), a write memory barrier is missing, and store-store reordering may cause NULL dereference in tls{setsockopt,getsockopt}.

CPU0 CPU1 ----- ----- // In tlsinit() // In tlsctxcreate() ctx = kzalloc() ctx->skproto = READONCE(sk->skprot) -(1)

// In updateskprot() WRITEONCE(sk->skprot, tls_prots) -(2)

                               // In sock_common_setsockopt()
                               READ_ONCE(sk->sk_prot)->setsockopt()

                               // In tls_{setsockopt,getsockopt}()
                               ctx->sk_proto->setsockopt()    -(3)

In the above scenario, when (1) and (2) are reordered, (3) can observe the NULL value of ctx->sk_proto, causing NULL dereference.

To fix it, we rely on rcuassignpointer() which implies the release barrier semantic. By moving rcuassignpointer() after ctx->skproto is initialized, we can ensure that ctx->skproto are visible when changing sk->sk_prot.

References

Affected packages