DEBIAN-CVE-2024-50261

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2024-50261
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-50261.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2024-50261
Upstream
Downstream
Published
2024-11-09T11:15:11.610Z
Modified
2026-04-28T20:30:15.632681Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved: macsec: Fix use-after-free while sending the offloading packet KASAN reports the following UAF. The metadatadst, which is used to store the SCI value for macsec offload, is already freed by metadatadstfree() in macsecfreenetdev(), while driver still use it for sending the packet. To fix this issue, dstrelease() is used instead to release metadatadst. So it is not freed instantly in macsecfreenetdev() if still referenced by skb. BUG: KASAN: slab-use-after-free in mlx5exmit+0x1e8f/0x4190 [mlx5core] Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714 [...] Workqueue: mld mldifcwork Call Trace: <TASK> dumpstacklvl+0x51/0x60 printreport+0xc1/0x600 kasanreport+0xab/0xe0 mlx5exmit+0x1e8f/0x4190 [mlx5core] devhardstartxmit+0x120/0x530 schdirectxmit+0x149/0x11e0 __qdisc_run+0x3ad/0x1730 __devqueuexmit+0x1196/0x2ed0 vlandevhard_startxmit+0x32e/0x510 [8021q] devhardstartxmit+0x120/0x530 __devqueuexmit+0x14a7/0x2ed0 macsec_startxmit+0x13e9/0x2340 devhardstartxmit+0x120/0x530 __devqueuexmit+0x14a7/0x2ed0 ip6_finishoutput2+0x923/0x1a70 ip6finishoutput+0x2d7/0x970 ip6output+0x1ce/0x3a0 NFHOOK.constprop.0+0x15f/0x190 mldsendpack+0x59a/0xbd0 mldifcwork+0x48a/0xa80 processonework+0x5aa/0xe50 workerthread+0x79c/0x1290 kthread+0x28f/0x350 retfromfork+0x2d/0x70 retfromforkasm+0x11/0x20 </TASK> Allocated by task 3922: kasansavestack+0x20/0x40 kasansavetrack+0x10/0x30 __kasan_kmalloc+0x77/0x90 __kmallocnoprof+0x188/0x400 metadatadstalloc+0x1f/0x4e0 macsecnewlink+0x914/0x1410 __rtnlnewlink+0xe08/0x15b0 rtnlnewlink+0x5f/0x90 rtnetlinkrcvmsg+0x667/0xa80 netlinkrcvskb+0x12c/0x360 netlinkunicast+0x551/0x770 netlinksendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 __syssendmsg+0xb5/0x140 dosyscall64+0x4c/0x100 entrySYSCALL64afterhwframe+0x4b/0x53 Freed by task 4011: kasansavestack+0x20/0x40 kasansavetrack+0x10/0x30 kasansavefreeinfo+0x37/0x50 poisonslabobject+0x10c/0x190 __kasanslabfree+0x11/0x30 kfree+0xe0/0x290 macsecfreenetdev+0x3f/0x140 netdevruntodo+0x450/0xc70 rtnetlinkrcvmsg+0x66f/0xa80 netlinkrcvskb+0x12c/0x360 netlinkunicast+0x551/0x770 netlinksendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 _syssendmsg+0xb5/0x140 dosyscall64+0x4c/0x100 entrySYSCALL64afterhwframe+0x4b/0x53

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.119-1

Affected versions

6.*
6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-50261.json"

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.11.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-50261.json"

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.11.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-50261.json"

Debian:11 / linux-6.1

Package

Name
linux-6.1
Purl
pkg:deb/debian/linux-6.1?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.119-1~deb11u1

Affected versions

6.*
6.1.106-3~deb11u1
6.1.106-3~deb11u2
6.1.106-3~deb11u3
6.1.112-1~deb11u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-50261.json"