CVE-2024-50261
- Source
- https://cve.org/CVERecord?id=CVE-2024-50261
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50261.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-50261
- Downstream
- Related
- Published
- 2024-11-09T10:15:14.259Z
- Modified
- 2026-03-11T07:54:18.747087Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- macsec: Fix use-after-free while sending the offloading packet
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
macsec: Fix use-after-free while sending the offloading packet
KASAN reports the following UAF. The metadatadst, which is used to store the SCI value for macsec offload, is already freed by metadatadstfree() in macsecfree_netdev(), while driver still use it for sending the packet.
To fix this issue, dstrelease() is used instead to release metadatadst. So it is not freed instantly in macsecfreenetdev() if still referenced by skb.
BUG: KASAN: slab-use-after-free in mlx5exmit+0x1e8f/0x4190 [mlx5core] Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714 [...] Workqueue: mld mldifcwork Call Trace: <TASK> dumpstacklvl+0x51/0x60 printreport+0xc1/0x600 kasanreport+0xab/0xe0 mlx5exmit+0x1e8f/0x4190 [mlx5core] devhardstartxmit+0x120/0x530 schdirect_xmit+0x149/0x11e0 __qdisc_run+0x3ad/0x1730 __devqueuexmit+0x1196/0x2ed0 vlandevhardstartxmit+0x32e/0x510 [8021q] devhardstart_xmit+0x120/0x530 __devqueuexmit+0x14a7/0x2ed0 macsecstartxmit+0x13e9/0x2340 devhardstart_xmit+0x120/0x530 _devqueuexmit+0x14a7/0x2ed0 ip6finishoutput2+0x923/0x1a70 ip6finishoutput+0x2d7/0x970 ip6output+0x1ce/0x3a0 NFHOOK.constprop.0+0x15f/0x190 mldsendpack+0x59a/0xbd0 mldifcwork+0x48a/0xa80 processonework+0x5aa/0xe50 workerthread+0x79c/0x1290 kthread+0x28f/0x350 retfromfork+0x2d/0x70 retfromforkasm+0x11/0x20 </TASK>
Allocated by task 3922: kasansavestack+0x20/0x40 kasansavetrack+0x10/0x30 __kasan_kmalloc+0x77/0x90 __kmallocnoprof+0x188/0x400 metadatadstalloc+0x1f/0x4e0 macsecnewlink+0x914/0x1410 __rtnlnewlink+0xe08/0x15b0 rtnlnewlink+0x5f/0x90 rtnetlinkrcvmsg+0x667/0xa80 netlinkrcvskb+0x12c/0x360 netlinkunicast+0x551/0x770 netlinksendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 _syssendmsg+0xb5/0x140 dosyscall64+0x4c/0x100 entrySYSCALL64afterhwframe+0x4b/0x53
Freed by task 4011: kasansavestack+0x20/0x40 kasansavetrack+0x10/0x30 kasansavefreeinfo+0x37/0x50 poisonslab_object+0x10c/0x190 __kasanslabfree+0x11/0x30 kfree+0xe0/0x290 macsecfreenetdev+0x3f/0x140 netdevruntodo+0x450/0xc70 rtnetlinkrcvmsg+0x66f/0xa80 netlinkrcvskb+0x12c/0x360 netlinkunicast+0x551/0x770 netlinksendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 _syssendmsg+0xb5/0x140 dosyscall64+0x4c/0x100 entrySYSCALL64afterhwframe+0x4b/0x53
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50261.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/4614640f1d5c93c22272117dc256e9940ccac8e8
- https://git.kernel.org/stable/c/872932cf75cf859804370a265dd58118129386fa
- https://git.kernel.org/stable/c/9f5ae743dbe9a2458540a7d35fff0f990df025cf
- https://git.kernel.org/stable/c/f1e54d11b210b53d418ff1476c6b58a2f434dfc0
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50261.json
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-50261
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0a28bfd4971fd570d1f3e4653b21415becefc92cFixed872932cf75cf859804370a265dd58118129386faFixed9f5ae743dbe9a2458540a7d35fff0f990df025cfFixed4614640f1d5c93c22272117dc256e9940ccac8e8Fixedf1e54d11b210b53d418ff1476c6b58a2f434dfc0