CVE-2024-42108

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-42108
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-42108.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-42108
Downstream
Published
2024-07-30T07:46:03Z
Modified
2025-10-17T09:24:31.588351Z
Summary
net: rswitch: Avoid use-after-free in rswitch_poll()
Details

In the Linux kernel, the following vulnerability has been resolved:

net: rswitch: Avoid use-after-free in rswitch_poll()

The use-after-free is actually in rswitchtxfree(), which is inlined in rswitchpoll(). Since skb and gq->skbs[gq->dirty] are in fact the same pointer, the skb is first freed using devkfreeskbany(), then the value in skb->len is used to update the interface statistics.

Let's move around the instructions to use skb->len before the skb is freed.

This bug is trivial to reproduce using KFENCE. It will trigger a splat every few packets. A simple ARP request or ICMP echo request is enough.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0aeec4bb6a9fc963932bf3c929bdf27d835d44e9
Fixed
4a41bb9f2b402469d425a1c13359d3b3ea4e6403
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
271e015b91535dd87fd0f5df0cc3b906c2eddef9
Fixed
92cbbe7759193e3418f38d0d73f8fe125312c58b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
271e015b91535dd87fd0f5df0cc3b906c2eddef9
Fixed
9a0c28efeec6383ef22e97437616b920e7320b67

Affected versions

v6.*

v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.7
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
v6.9.7
v6.9.8

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.9.9