{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-56635","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-27T15:00:39.838Z","datePublished":"2024-12-27T15:02:38.213Z","dateUpdated":"2025-05-04T10:00:39.813Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T10:00:39.813Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid potential UAF in default_operstate()\n\nsyzbot reported an UAF in default_operstate() [1]\n\nIssue is a race between device and netns dismantles.\n\nAfter calling __rtnl_unlock() from netdev_run_todo(),\nwe can not assume the netns of each device is still alive.\n\nMake sure the device is not in NETREG_UNREGISTERED state,\nand add an ASSERT_RTNL() before the call to\n__dev_get_by_index().\n\nWe might move this ASSERT_RTNL() in __dev_get_by_index()\nin the future.\n\n[1]\n\nBUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852\nRead of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339\n\nCPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:378 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:489\n  kasan_report+0x143/0x180 mm/kasan/report.c:602\n  __dev_get_by_index+0x5d/0x110 net/core/dev.c:852\n  default_operstate net/core/link_watch.c:51 [inline]\n  rfc2863_policy+0x224/0x300 net/core/link_watch.c:67\n  linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170\n  netdev_run_todo+0x461/0x1000 net/core/dev.c:10894\n  rtnl_unlock net/core/rtnetlink.c:152 [inline]\n  rtnl_net_unlock include/linux/rtnetlink.h:133 [inline]\n  rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520\n  rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541\n  netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n  netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n  netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n  sock_sendmsg_nosec net/socket.c:711 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:726\n  ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n  ___sys_sendmsg net/socket.c:2637 [inline]\n  __sys_sendmsg+0x269/0x350 net/socket.c:2669\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2a3cb80809\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809\nRDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008\nRBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8\n </TASK>\n\nAllocated by task 5339:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n  kasan_kmalloc include/linux/kasan.h:260 [inline]\n  __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314\n  kmalloc_noprof include/linux/slab.h:901 [inline]\n  kmalloc_array_noprof include/linux/slab.h:945 [inline]\n  netdev_create_hash net/core/dev.c:11870 [inline]\n  netdev_init+0x10c/0x250 net/core/dev.c:11890\n  ops_init+0x31e/0x590 net/core/net_namespace.c:138\n  setup_net+0x287/0x9e0 net/core/net_namespace.c:362\n  copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500\n  create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110\n  unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228\n  ksys_unshare+0x57d/0xa70 kernel/fork.c:3314\n  __do_sys_unshare kernel/fork.c:3385 [inline]\n  __se_sys_unshare kernel/fork.c:3383 [inline]\n  __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x8\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/link_watch.c"],"versions":[{"version":"8c55facecd7ade835287298ce325f930d888d8ec","lessThan":"3265aab0736f78bb218200b06b1abb525c316269","status":"affected","versionType":"git"},{"version":"8c55facecd7ade835287298ce325f930d888d8ec","lessThan":"316183d58319f191e16503bc2dffa156c4442df2","status":"affected","versionType":"git"},{"version":"8c55facecd7ade835287298ce325f930d888d8ec","lessThan":"750e51603395e755537da08f745864c93e3ce741","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/link_watch.c"],"versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","status":"unaffected","versionType":"semver"},{"version":"6.6.66","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.5","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.66"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.12.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3265aab0736f78bb218200b06b1abb525c316269"},{"url":"https://git.kernel.org/stable/c/316183d58319f191e16503bc2dffa156c4442df2"},{"url":"https://git.kernel.org/stable/c/750e51603395e755537da08f745864c93e3ce741"}],"title":"net: avoid potential UAF in default_operstate()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2024-56635","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-02-10T17:12:40.278798Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-10T17:21:08.285Z"}}]}}