CVE-2024-56658

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-56658
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56658.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-56658
Downstream
Related
Published
2024-12-27T15:06:21.516Z
Modified
2025-11-27T02:32:15.501343Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
net: defer final 'struct net' free in netns dismantle
Details

In the Linux kernel, the following vulnerability has been resolved:

net: defer final 'struct net' free in netns dismantle

Ilya reported a slab-use-after-free in dst_destroy [1]

Issue is in xfrm6netinit() and xfrm4netinit() :

They copy xfrm[46]dstopstemplate into net->xfrm.xfrm[46]dst_ops.

But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later :

if (dst->ops->destroy) dst->ops->destroy(dst);

dst->ops points to the old net->xfrm.xfrm[46]dstops, which has been freed.

See a relevant issue fixed in :

ac888d58869b ("net: do not delay dstentriesadd() in dst_release()")

A fix is to queue the 'struct net' to be freed after one another cleanupnet() round (and existing rcubarrier())

[1]

BUG: KASAN: slab-use-after-free in dstdestroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: <IRQ> dumpstacklvl (lib/dumpstack.c:124) printaddressdescription.constprop.0 (mm/kasan/report.c:378) ? dstdestroy (net/core/dst.c:112) printreport (mm/kasan/report.c:489) ? dstdestroy (net/core/dst.c:112) ? kasanaddrtoslab (mm/kasan/common.c:37) kasanreport (mm/kasan/report.c:603) ? dstdestroy (net/core/dst.c:112) ? rcudobatch (kernel/rcu/tree.c:2567) dstdestroy (net/core/dst.c:112) rcudobatch (kernel/rcu/tree.c:2567) ? _pfxrcudobatch (kernel/rcu/tree.c:2491) ? lockdephardirqsonprepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcucore (kernel/rcu/tree.c:2825) handlesoftirqs (kernel/softirq.c:554) _irqexitrcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irqexitrcu (kernel/softirq.c:651) sysvecapictimerinterrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) </IRQ> <TASK> asmsysvecapictimerinterrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:defaultidle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ctkernelexit.constprop.0 (kernel/contexttracking.c:148) ? cpuidleidlecall (kernel/sched/idle.c:186) defaultidlecall (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidleidlecall (kernel/sched/idle.c:186) ? _pfxcpuidleidlecall (kernel/sched/idle.c:168) ? lockrelease (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdephardirqsonprepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tscverifytscadjust (arch/x86/kernel/tscsync.c:59) doidle (kernel/sched/idle.c:326) cpustartupentry (kernel/sched/idle.c:423 (discriminator 1)) startsecondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? _pfxstartsecondary (arch/x86/kernel/smpboot.c:232) ? softrestartcpu (arch/x86/kernel/head64.S:452) commonstartup64 (arch/x86/kernel/head64.S:414) </TASK> Dec 03 05:46:18 kernel: Allocated by task 12184: kasansavestack (mm/kasan/common.c:48) kasansavetrack (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) _kasanslaballoc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmemcacheallocnoprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copynetns (net/core/netnamespace.c:421 net/core/netnamespace.c:480) createnew_namespaces ---truncated---

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/cc431b3424123d84bcd7afd4de150b33f117a8ef/cves/2024/56xxx/CVE-2024-56658.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8
Fixed
c261dcd61c9e88a8f1a66654354d32295a975230
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8
Fixed
dac465986a4a38cd2f13e934f562b6ca344e5720
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8
Fixed
3267b254dc0a04dfa362a2be24573cfa6d2d78f5
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8
Fixed
b7a79e51297f7b82adb687086f5cb2da446f1e40
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8
Fixed
6610c7f8a8d47fd1123eed55ba8c11c2444d8842
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8
Fixed
0f6ede9fbc747e2553612271bce108f7517e7a45
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
3e29fa5b742479f73400468314a1c6b9cf553ee4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
ce43f6a650a6689551a217276fb0dcca33790425
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
eeca98948d8c4922e6deb16bfc9ee0bd9902dbb0
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
1bd631fc9a4515878c1bb7effd19335d2f2d87c2

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.0
Fixed
5.10.237
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.181
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.121
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.67
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.6