CVE-2024-53140 Affecting kernel-rt-debug package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RHEL9-KERNELRTDEBUG-8478967
- published5 Dec 2024
- disclosed4 Dec 2024
Introduced: 4 Dec 2024
NewCVE-2024-53140 (opens in a new tab)How to fix?
There is no fixed version for RHEL:9 kernel-rt-debug.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-rt-debug package and not the kernel-rt-debug package as distributed by RHEL.
See How to fix? for RHEL:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
netlink: terminate outstanding dump on socket close
Netlink supports iterative dumping of data. It provides the families the following ops:
- start - (optional) kicks off the dumping process
- dump - actual dump helper, keeps getting called until it returns 0
- done - (optional) pairs with .start, can be used for cleanup The whole process is asynchronous and the repeated calls to .dump don't actually happen in a tight loop, but rather are triggered in response to recvmsg() on the socket.
This gives the user full control over the dump, but also means that the user can close the socket without getting to the end of the dump. To make sure .start is always paired with .done we check if there is an ongoing dump before freeing the socket, and if so call .done.
The complication is that sockets can get freed from BH and .done is allowed to sleep. So we use a workqueue to defer the call, when needed.
Unfortunately this does not work correctly. What we defer is not the cleanup but rather releasing a reference on the socket. We have no guarantee that we own the last reference, if someone else holds the socket they may release it in BH and we're back to square one.
The whole dance, however, appears to be unnecessary. Only the user can interact with dumps, so we can clean up when socket is closed. And close always happens in process context. Some async code may still access the socket after close, queue notification skbs to it etc. but no dumps can start, end or otherwise make progress.
Delete the workqueue and flush the dump state directly from the release handler. Note that further cleanup is possible in -next, for instance we now always call .done before releasing the main module reference, so dump doesn't have to take a reference of its own.
References
- https://access.redhat.com/security/cve/CVE-2024-53140
- https://git.kernel.org/stable/c/114a61d8d94ae3a43b82446cf737fd757021b834
- https://git.kernel.org/stable/c/176c41b3ca9281a9736b67c6121b03dbf0c8c08f
- https://git.kernel.org/stable/c/1904fb9ebf911441f90a68e96b22aa73e4410505
- https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258af52a98
- https://git.kernel.org/stable/c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca