CVE-2024-50130
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-50130
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50130.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-50130
- Downstream
- Related
- Published
- 2024-11-05T17:10:56Z
- Modified
- 2025-10-17T15:35:05.151049Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- netfilter: bpf: must hold reference on net namespace
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
netfilter: bpf: must hold reference on net namespace
BUG: KASAN: slab-use-after-free in _nfunregisternethook+0x640/0x6b0 Read of size 8 at addr ffff8880106fe400 by task repro/72= bpfnflinkrelease+0xda/0x1e0 bpflinkfree+0x139/0x2d0 bpflinkrelease+0x68/0x80 _fput+0x414/0xb60
Eric says: It seems that bpf was able to defer the _nfunregisternethook() after exit()/close() time. Perhaps a netns reference is missing, because the netns has been dismantled/freed already. bpfnflink_attach() does : link->net = net; But I do not see a reference being taken on net.
Add such a reference and release it after hook unreg. Note that I was unable to get syzbot reproducer to work, so I do not know if this resolves this splat.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced84601d6ee68ae820dec97450934797046d62db4bFixedf41bd93b3e0508edc7ba820357f949071dcc0acc
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced84601d6ee68ae820dec97450934797046d62db4bFixedd0d7939543a1b3bb93af9a18d258a774daf8f162
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced84601d6ee68ae820dec97450934797046d62db4bFixed1230fe7ad3974f7bf6c78901473e039b34d4fb1f
Affected versions
v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.12-rc1
v6.12-rc2
v6.3
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f41bd93b3e0508edc7ba820357f949071dcc0acc",
"id": "CVE-2024-50130-116739ee",
"target": {
"file": "net/netfilter/nf_bpf_link.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"337390387045765784565917987904861560078",
"230921912482870718071664023502938772841",
"18176702465860930897218463883276600011",
"143690948464569323398329512731946574237",
"125388335833633613957181634424791199092",
"156985405311920459386390093868118002129",
"8273955081059952374463036426475065718",
"205395068252976896875454079283704949736",
"333523770422117181556284308284686654141",
"33995631870894759694749938231733490730",
"223674056423739471302620160323550277443"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d0d7939543a1b3bb93af9a18d258a774daf8f162",
"id": "CVE-2024-50130-14517dc5",
"target": {
"function": "bpf_nf_link_release",
"file": "net/netfilter/nf_bpf_link.c"
},
"signature_version": "v1",
"digest": {
"function_hash": "301394116118112729889518841025322448362",
"length": 289.0
},
"signature_type": "Function",
"deprecated": false
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f41bd93b3e0508edc7ba820357f949071dcc0acc",
"id": "CVE-2024-50130-3a9fea12",
"target": {
"function": "bpf_nf_link_attach",
"file": "net/netfilter/nf_bpf_link.c"
},
"signature_version": "v1",
"digest": {
"function_hash": "199997650567854648761163790994510544672",
"length": 1200.0
},
"signature_type": "Function",
"deprecated": false
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1230fe7ad3974f7bf6c78901473e039b34d4fb1f",
"id": "CVE-2024-50130-57bad24c",
"target": {
"function": "bpf_nf_link_attach",
"file": "net/netfilter/nf_bpf_link.c"
},
"signature_version": "v1",
"digest": {
"function_hash": "199997650567854648761163790994510544672",
"length": 1200.0
},
"signature_type": "Function",
"deprecated": false
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d0d7939543a1b3bb93af9a18d258a774daf8f162",
"id": "CVE-2024-50130-7cbffc7c",
"target": {
"function": "bpf_nf_link_attach",
"file": "net/netfilter/nf_bpf_link.c"
},
"signature_version": "v1",
"digest": {
"function_hash": "199997650567854648761163790994510544672",
"length": 1200.0
},
"signature_type": "Function",
"deprecated": false
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f41bd93b3e0508edc7ba820357f949071dcc0acc",
"id": "CVE-2024-50130-97da5abb",
"target": {
"function": "bpf_nf_link_release",
"file": "net/netfilter/nf_bpf_link.c"
},
"signature_version": "v1",
"digest": {
"function_hash": "301394116118112729889518841025322448362",
"length": 289.0
},
"signature_type": "Function",
"deprecated": false
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1230fe7ad3974f7bf6c78901473e039b34d4fb1f",
"id": "CVE-2024-50130-ab947a8e",
"target": {
"file": "net/netfilter/nf_bpf_link.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"337390387045765784565917987904861560078",
"230921912482870718071664023502938772841",
"18176702465860930897218463883276600011",
"143690948464569323398329512731946574237",
"125388335833633613957181634424791199092",
"156985405311920459386390093868118002129",
"8273955081059952374463036426475065718",
"205395068252976896875454079283704949736",
"333523770422117181556284308284686654141",
"33995631870894759694749938231733490730",
"223674056423739471302620160323550277443"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1230fe7ad3974f7bf6c78901473e039b34d4fb1f",
"id": "CVE-2024-50130-d0c84fc8",
"target": {
"function": "bpf_nf_link_release",
"file": "net/netfilter/nf_bpf_link.c"
},
"signature_version": "v1",
"digest": {
"function_hash": "301394116118112729889518841025322448362",
"length": 289.0
},
"signature_type": "Function",
"deprecated": false
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d0d7939543a1b3bb93af9a18d258a774daf8f162",
"id": "CVE-2024-50130-dd5f27a9",
"target": {
"file": "net/netfilter/nf_bpf_link.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"337390387045765784565917987904861560078",
"230921912482870718071664023502938772841",
"18176702465860930897218463883276600011",
"143690948464569323398329512731946574237",
"125388335833633613957181634424791199092",
"156985405311920459386390093868118002129",
"8273955081059952374463036426475065718",
"205395068252976896875454079283704949736",
"333523770422117181556284308284686654141",
"33995631870894759694749938231733490730",
"223674056423739471302620160323550277443"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false
}
]