CVE-2024-49980

{"id": "CVE-2024-49980", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-10-21T18:15:18.613", "references": [{"url": "https://git.kernel.org/stable/c/718a752bd746b3f4dd62516bb437baf73d548415", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8c9381b3138246d46536db93ed696832abd70204", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b04c4d9eb4f25b950b33218e33b04c94e7445e51", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e61f8c4d179b2ffc0d3b7f821c3734be738643d0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-667"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvrf: revert \"vrf: Remove unnecessary RCU-bh critical section\"\n\nThis reverts commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853.\n\ndev_queue_xmit_nit is expected to be called with BH disabled.\n__dev_queue_xmit has the following:\n\n /* Disable soft irqs for various locks below. Also\n * stops preemption for RCU.\n */\n rcu_read_lock_bh();\n\nVRF must follow this invariant. The referenced commit removed this\nprotection. Which triggered a lockdep warning:\n\n\t================================\n\tWARNING: inconsistent lock state\n\t6.11.0 #1 Tainted: G W\n\t--------------------------------\n\tinconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.\n\tbtserver/134819 [HC0[0]:SC0[0]:HE1:SE1] takes:\n\tffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, at: tpacket_rcv+0x863/0x3b30\n\t{IN-SOFTIRQ-W} state was registered at:\n\t lock_acquire+0x19a/0x4f0\n\t _raw_spin_lock+0x27/0x40\n\t packet_rcv+0xa33/0x1320\n\t __netif_receive_skb_core.constprop.0+0xcb0/0x3a90\n\t __netif_receive_skb_list_core+0x2c9/0x890\n\t netif_receive_skb_list_internal+0x610/0xcc0\n [...]\n\n\tother info that might help us debug this:\n\t Possible unsafe locking scenario:\n\n\t CPU0\n\t ----\n\t lock(rlock-AF_PACKET);\n\t <Interrupt>\n\t lock(rlock-AF_PACKET);\n\n\t *** DEADLOCK ***\n\n\tCall Trace:\n\t <TASK>\n\t dump_stack_lvl+0x73/0xa0\n\t mark_lock+0x102e/0x16b0\n\t __lock_acquire+0x9ae/0x6170\n\t lock_acquire+0x19a/0x4f0\n\t _raw_spin_lock+0x27/0x40\n\t tpacket_rcv+0x863/0x3b30\n\t dev_queue_xmit_nit+0x709/0xa40\n\t vrf_finish_direct+0x26e/0x340 [vrf]\n\t vrf_l3_out+0x5f4/0xe80 [vrf]\n\t __ip_local_out+0x51e/0x7a0\n [...]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vrf: revert \"vrf: Remove unexpected RCU-bh critical section\" Esto revierte el commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853. Se espera que dev_queue_xmit_nit se llame con BH deshabilitado. __dev_queue_xmit tiene lo siguiente: /* Deshabilitar irqs suaves para varios bloqueos a continuaci\u00f3n. Tambi\u00e9n * detiene la preempci\u00f3n para RCU. */ rcu_read_lock_bh(); VRF debe seguir esta invariante. el commit a la que se hace referencia elimin\u00f3 esta protecci\u00f3n. Lo que activ\u00f3 una advertencia de lockdep: ================================= ADVERTENCIA: estado de bloqueo inconsistente 6.11.0 #1 Tainted: GW -------------------------------- uso inconsistente de {IN-SOFTIRQ-W} -&gt; {SOFTIRQ-ON-W}. btserver/134819 [HC0[0]:SC0[0]:HE1:SE1] toma: ffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, en: tpacket_rcv+0x863/0x3b30 {IN-SOFTIRQ-W} el estado se registr\u00f3 en: lock_acquire+0x19a/0x4f0 _raw_spin_lock+0x27/0x40 packet_rcv+0xa33/0x1320 __netif_receive_skb_core.constprop.0+0xcb0/0x3a90 __netif_receive_skb_list_core+0x2c9/0x890 netif_receive_skb_list_internal+0x610/0xcc0 [...] otra informaci\u00f3n que podr\u00eda ayudar Depuremos esto: Posible escenario de bloqueo inseguro: CPU0 ---- lock(rlock-AF_PACKET); lock(rlock-AF_PACKET); *** BLOQUEO INTERMEDIO *** Seguimiento de llamadas: dump_stack_lvl+0x73/0xa0 mark_lock+0x102e/0x16b0 __lock_acquire+0x9ae/0x6170 lock_acquire+0x19a/0x4f0 _raw_spin_lock+0x27/0x40 tpacket_rcv+0x863/0x3b30 dev_queue_xmit_nit+0x709/0xa40 vrf_finish_direct+0x26e/0x340 [vrf] vrf_l3_out+0x5f4/0xe80 [vrf] __ip_local_out+0x51e/0x7a0 [...]"}], "lastModified": "2024-10-31T14:58:27.613", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F23DA31-E148-44C0-BE2A-2BF42A564DC7", "versionEndExcluding": "6.6.55", "versionStartIncluding": "6.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C16BCE0-FFA0-4599-BE0A-1FD65101C021", "versionEndExcluding": "6.10.14", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "54D9C704-D679-41A7-9C40-10A6B1E7FFE9", "versionEndExcluding": "6.11.3", "versionStartIncluding": "6.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}