First published: Tue Feb 27 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: net: fix use-after-free in tw_timer_handler A real world panic issue was found as follow in Linux 5.4. BUG: unable to handle page fault for address: ffffde49a863de28 PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0 RIP: 0010:tw_timer_handler+0x20/0x40 Call Trace: <IRQ> call_timer_fn+0x2b/0x120 run_timer_softirq+0x1ef/0x450 __do_softirq+0x10d/0x2b8 irq_exit+0xc7/0xd0 smp_apic_timer_interrupt+0x68/0x120 apic_timer_interrupt+0xf/0x20 This issue was also reported since 2017 in the thread [1], unfortunately, the issue was still can be reproduced after fixing DCCP. The ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net namespace is destroyed since tcp_sk_ops is registered befrore ipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops in the list of pernet_list. There will be a use-after-free on net->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net if there are some inflight time-wait timers. This bug is not introduced by commit f2bf415cfed7 ("mib: add net to NET_ADD_STATS_BH") since the net_statistics is a global variable instead of dynamic allocation and freeing. Actually, commit 61a7e26028b9 ("mib: put net statistics on struct net") introduces the bug since it put net statistics on struct net and free it when net namespace is destroyed. Moving init_ipv4_mibs() to the front of tcp_init() to fix this bug and replace pr_crit() with panic() since continuing is meaningless when init_ipv4_mibs() fails. [1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Software | Affected Version | How to fix |
---|---|---|
Linux Linux kernel | >=2.6.27<4.4.298 | |
Linux Linux kernel | >=4.5.0<4.9.296 | |
Linux Linux kernel | >=4.10.0<4.14.261 | |
Linux Linux kernel | >=4.15.0<4.19.224 | |
Linux Linux kernel | >=4.20.0<5.4.170 | |
Linux Linux kernel | >=5.5.0<5.10.90 | |
Linux Linux kernel | >=5.11.0<5.15.13 | |
ubuntu/linux | <5.16~ | 5.16~ |
ubuntu/linux | <4.4.0-253.287 | 4.4.0-253.287 |
ubuntu/linux-aws | <4.4.0-1130.136 | 4.4.0-1130.136 |
ubuntu/linux-aws | <5.16~ | 5.16~ |
ubuntu/linux-aws | <4.4.0-1168.183 | 4.4.0-1168.183 |
ubuntu/linux-aws-5.15 | <5.16~ | 5.16~ |
ubuntu/linux-aws-5.4 | <5.16~ | 5.16~ |
ubuntu/linux-aws-6.5 | <5.16~ | 5.16~ |
ubuntu/linux-aws-hwe | <5.16~ | 5.16~ |
ubuntu/linux-azure | <5.16~ | 5.16~ |
ubuntu/linux-azure-4.15 | <5.16~ | 5.16~ |
ubuntu/linux-azure-5.15 | <5.16~ | 5.16~ |
ubuntu/linux-azure-5.4 | <5.16~ | 5.16~ |
ubuntu/linux-azure-6.5 | <5.16~ | 5.16~ |
ubuntu/linux-azure-fde | <5.16~ | 5.16~ |
ubuntu/linux-azure-fde-5.15 | <5.16~ | 5.16~ |
ubuntu/linux-bluefield | <5.16~ | 5.16~ |
ubuntu/linux-fips | <5.16~ | 5.16~ |
ubuntu/linux-gcp | <5.16~ | 5.16~ |
ubuntu/linux-gcp-4.15 | <5.16~ | 5.16~ |
ubuntu/linux-gcp-5.15 | <5.16~ | 5.16~ |
ubuntu/linux-gcp-5.4 | <5.16~ | 5.16~ |
ubuntu/linux-gcp-6.5 | <5.16~ | 5.16~ |
ubuntu/linux-gke | <5.16~ | 5.16~ |
ubuntu/linux-gkeop | <5.16~ | 5.16~ |
ubuntu/linux-gkeop-5.15 | <5.16~ | 5.16~ |
ubuntu/linux-hwe | <5.16~ | 5.16~ |
ubuntu/linux-hwe-5.15 | <5.16~ | 5.16~ |
ubuntu/linux-hwe-5.4 | <5.16~ | 5.16~ |
ubuntu/linux-hwe-6.5 | <5.16~ | 5.16~ |
ubuntu/linux-ibm | <5.16~ | 5.16~ |
ubuntu/linux-ibm-5.15 | <5.16~ | 5.16~ |
ubuntu/linux-ibm-5.4 | <5.16~ | 5.16~ |
ubuntu/linux-intel-iotg | <5.16~ | 5.16~ |
ubuntu/linux-intel-iotg-5.15 | <5.16~ | 5.16~ |
ubuntu/linux-iot | <5.16~ | 5.16~ |
ubuntu/linux-kvm | <5.16~ | 5.16~ |
ubuntu/linux-kvm | <4.4.0-1131.141 | 4.4.0-1131.141 |
ubuntu/linux-laptop | <5.16~ | 5.16~ |
ubuntu/linux-lowlatency | <5.16~ | 5.16~ |
ubuntu/linux-lowlatency-hwe-5.15 | <5.16~ | 5.16~ |
ubuntu/linux-lowlatency-hwe-6.5 | <5.16~ | 5.16~ |
ubuntu/linux-lts-xenial | <4.4.0-253.287~14.04.1 | 4.4.0-253.287~14.04.1 |
ubuntu/linux-lts-xenial | <5.16~ | 5.16~ |
ubuntu/linux-nvidia | <5.16~ | 5.16~ |
ubuntu/linux-oem-6.1 | <5.16~ | 5.16~ |
ubuntu/linux-oem-6.5 | <5.16~ | 5.16~ |
ubuntu/linux-oracle | <5.16~ | 5.16~ |
ubuntu/linux-oracle-5.15 | <5.16~ | 5.16~ |
ubuntu/linux-oracle-5.4 | <5.16~ | 5.16~ |
ubuntu/linux-oracle-6.5 | <5.16~ | 5.16~ |
ubuntu/linux-raspi | <5.16~ | 5.16~ |
ubuntu/linux-raspi-5.4 | <5.16~ | 5.16~ |
ubuntu/linux-riscv | <5.16~ | 5.16~ |
ubuntu/linux-riscv-5.15 | <5.16~ | 5.16~ |
ubuntu/linux-riscv-6.5 | <5.16~ | 5.16~ |
ubuntu/linux-starfive | <5.16~ | 5.16~ |
ubuntu/linux-starfive-6.5 | <5.16~ | 5.16~ |
ubuntu/linux-xilinx-zynqmp | <5.16~ | 5.16~ |
debian/linux | 4.19.249-2 4.19.304-1 5.10.209-2 5.10.205-2 6.1.76-1 6.1.85-1 6.6.15-2 6.7.12-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.