CVE-2024-40958
Description
In the Linux kernel, the following vulnerability has been resolved: netns: Make get_net_ns() handle zero refcount net Syzkaller hit a warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0 Modules linked in: CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:refcount_warn_saturate+0xdf/0x1d0 Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1 RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001 RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139 R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4 R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040 FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0xa3/0xc0 ? __warn+0xa5/0x1c0 ? refcount_warn_saturate+0xdf/0x1d0 ? report_bug+0x1fc/0x2d0 ? refcount_warn_saturate+0xdf/0x1d0 ? handle_bug+0xa1/0x110 ? exc_invalid_op+0x3c/0xb0 ? asm_exc_invalid_op+0x1f/0x30 ? __warn_printk+0xcc/0x140 ? __warn_printk+0xd5/0x140 ? refcount_warn_saturate+0xdf/0x1d0 get_net_ns+0xa4/0xc0 ? __pfx_get_net_ns+0x10/0x10 open_related_ns+0x5a/0x130 __tun_chr_ioctl+0x1616/0x2370 ? __sanitizer_cov_trace_switch+0x58/0xa0 ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30 ? __pfx_tun_chr_ioctl+0x10/0x10 tun_chr_ioctl+0x2f/0x40 __x64_sys_ioctl+0x11b/0x160 x64_sys_call+0x1211/0x20d0 do_syscall_64+0x9e/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5b28f165d7 Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8 RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7 RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003 RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0 R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730 R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... This is trigger as below: ns0 ns1 tun_set_iff() //dev is tun0 tun->dev = dev //ip link set tun0 netns ns1 put_net() //ref is 0 __tun_chr_ioctl() //TUNGETDEVNETNS net = dev_net(tun->dev); open_related_ns(&net->ns, get_net_ns); //ns1 get_net_ns() get_net() //addition on 0 Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2024-5363.html
Vendor advisory: alma — https://bugzilla.redhat.com/2297545
Vendor advisory: alma — https://bugzilla.redhat.com/2297512
Vendor advisory: alma — https://bugzilla.redhat.com/2297056
Vendor advisory: alma — https://bugzilla.redhat.com/2293688
Vendor advisory: alma — https://bugzilla.redhat.com/2293687
Vendor advisory: alma — https://bugzilla.redhat.com/2293686
Vendor advisory: alma — https://bugzilla.redhat.com/2293657
Vendor advisory: alma — https://bugzilla.redhat.com/2293418
Vendor advisory: alma — https://bugzilla.redhat.com/2293208
Vendor advisory: alma — https://bugzilla.redhat.com/2292331
Vendor advisory: alma — https://bugzilla.redhat.com/2284543
Vendor advisory: alma — https://bugzilla.redhat.com/2284513
Vendor advisory: alma — https://bugzilla.redhat.com/2284496
Vendor advisory: alma — https://bugzilla.redhat.com/2284474
Vendor advisory: alma — https://bugzilla.redhat.com/2284417
Vendor advisory: alma — https://bugzilla.redhat.com/2284400
Vendor advisory: alma — https://bugzilla.redhat.com/2282719
Vendor advisory: alma — https://bugzilla.redhat.com/2281949
Vendor advisory: alma — https://bugzilla.redhat.com/2281900
Vendor advisory: alma — https://bugzilla.redhat.com/2281821
Vendor advisory: alma — https://bugzilla.redhat.com/2281667
Vendor advisory: alma — https://bugzilla.redhat.com/2281639
Vendor advisory: alma — https://bugzilla.redhat.com/2281272
Vendor advisory: alma — https://bugzilla.redhat.com/2281265
Vendor advisory: alma — https://bugzilla.redhat.com/2281257
Vendor advisory: alma — https://bugzilla.redhat.com/2281237
Vendor advisory: alma — https://bugzilla.redhat.com/2281190
Vendor advisory: alma — https://bugzilla.redhat.com/2281133
Vendor advisory: alma — https://bugzilla.redhat.com/2281097
Vendor advisory: alma — https://bugzilla.redhat.com/2281057
Vendor advisory: alma — https://bugzilla.redhat.com/2278989
Vendor advisory: alma — https://bugzilla.redhat.com/2278519
Vendor advisory: alma — https://bugzilla.redhat.com/2278429
Vendor advisory: alma — https://bugzilla.redhat.com/2278417
Vendor advisory: alma — https://bugzilla.redhat.com/2278380
Vendor advisory: alma — https://bugzilla.redhat.com/2275748
Vendor advisory: alma — https://bugzilla.redhat.com/2275715
Vendor advisory: alma — https://bugzilla.redhat.com/2275655
Vendor advisory: alma — https://bugzilla.redhat.com/2275600
Vendor advisory: alma — https://bugzilla.redhat.com/2273405
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2024-7001.html
Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2024:7001
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2024-7000.html
Vendor advisory: alma — https://bugzilla.redhat.com/2306365
Vendor advisory: alma — https://bugzilla.redhat.com/2305488
Vendor advisory: alma — https://bugzilla.redhat.com/2305467
Vendor advisory: alma — https://bugzilla.redhat.com/2305410
Vendor advisory: alma — https://bugzilla.redhat.com/2303514
Vendor advisory: alma — https://bugzilla.redhat.com/2303508
Vendor advisory: alma — https://bugzilla.redhat.com/2303506
Vendor advisory: alma — https://bugzilla.redhat.com/2303505
Vendor advisory: alma — https://bugzilla.redhat.com/2303077
Vendor advisory: alma — https://bugzilla.redhat.com/2301544
Vendor advisory: alma — https://bugzilla.redhat.com/2301543
Vendor advisory: alma — https://bugzilla.redhat.com/2301522
Vendor advisory: alma — https://bugzilla.redhat.com/2301519
Vendor advisory: alma — https://bugzilla.redhat.com/2301496
Vendor advisory: alma — https://bugzilla.redhat.com/2301489
Vendor advisory: alma — https://bugzilla.redhat.com/2301477
Vendor advisory: alma — https://bugzilla.redhat.com/2300713
Vendor advisory: alma — https://bugzilla.redhat.com/2300709
Vendor advisory: alma — https://bugzilla.redhat.com/2300552
Vendor advisory: alma — https://bugzilla.redhat.com/2300533
Vendor advisory: alma — https://bugzilla.redhat.com/2300492
Vendor advisory: alma — https://bugzilla.redhat.com/2300453
Vendor advisory: alma — https://bugzilla.redhat.com/2300448
Vendor advisory: alma — https://bugzilla.redhat.com/2300440
Vendor advisory: alma — https://bugzilla.redhat.com/2300439
Vendor advisory: alma — https://bugzilla.redhat.com/2300434
Vendor advisory: alma — https://bugzilla.redhat.com/2300430
Vendor advisory: alma — https://bugzilla.redhat.com/2300429
Vendor advisory: alma — https://bugzilla.redhat.com/2300414
Vendor advisory: alma — https://bugzilla.redhat.com/2300410
Vendor advisory: alma — https://bugzilla.redhat.com/2300409
Vendor advisory: alma — https://bugzilla.redhat.com/2300408
Vendor advisory: alma — https://bugzilla.redhat.com/2300407
Vendor advisory: alma — https://bugzilla.redhat.com/2300402
Vendor advisory: alma — https://bugzilla.redhat.com/2300381
Vendor advisory: alma — https://bugzilla.redhat.com/2300297
Vendor advisory: alma — https://bugzilla.redhat.com/2300296
Vendor advisory: alma — https://bugzilla.redhat.com/2299452
Vendor advisory: alma — https://bugzilla.redhat.com/2299336
Vendor advisory: alma — https://bugzilla.redhat.com/2299240
Vendor advisory: alma — https://bugzilla.redhat.com/2298640
Vendor advisory: alma — https://bugzilla.redhat.com/2298177
Vendor advisory: alma — https://bugzilla.redhat.com/2298140
Vendor advisory: alma — https://bugzilla.redhat.com/2298079
Vendor advisory: alma — https://bugzilla.redhat.com/2297909
Vendor advisory: alma — https://bugzilla.redhat.com/2297706
Vendor advisory: alma — https://bugzilla.redhat.com/2297589
Vendor advisory: alma — https://bugzilla.redhat.com/2297582
Vendor advisory: alma — https://bugzilla.redhat.com/2297581
Vendor advisory: alma — https://bugzilla.redhat.com/2297579
Vendor advisory: alma — https://bugzilla.redhat.com/2297573
Vendor advisory: alma — https://bugzilla.redhat.com/2297572
Vendor advisory: alma — https://bugzilla.redhat.com/2297562
Vendor advisory: alma — https://bugzilla.redhat.com/2297561
Vendor advisory: alma — https://bugzilla.redhat.com/2297556
Vendor advisory: alma — https://bugzilla.redhat.com/2297544
Vendor advisory: alma — https://bugzilla.redhat.com/2297543
Vendor advisory: alma — https://bugzilla.redhat.com/2297542
Vendor advisory: alma — https://bugzilla.redhat.com/2297538
Vendor advisory: alma — https://bugzilla.redhat.com/2297525
Vendor advisory: alma — https://bugzilla.redhat.com/2297515
Vendor advisory: alma — https://bugzilla.redhat.com/2297513
Vendor advisory: alma — https://bugzilla.redhat.com/2297496
Vendor advisory: alma — https://bugzilla.redhat.com/2297495
Vendor advisory: alma — https://bugzilla.redhat.com/2297488
Vendor advisory: alma — https://bugzilla.redhat.com/2297478
Vendor advisory: alma — https://bugzilla.redhat.com/2297473
Vendor advisory: alma — https://bugzilla.redhat.com/2297471
Vendor advisory: alma — https://bugzilla.redhat.com/2294313
Vendor advisory: alma — https://bugzilla.redhat.com/2293658
Vendor advisory: alma — https://bugzilla.redhat.com/2293441
Vendor advisory: alma — https://bugzilla.redhat.com/2293440
Vendor advisory: alma — https://bugzilla.redhat.com/2293423
Vendor advisory: alma — https://bugzilla.redhat.com/2293414
Vendor advisory: alma — https://bugzilla.redhat.com/2293408
Vendor advisory: alma — https://bugzilla.redhat.com/2293377
Vendor advisory: alma — https://bugzilla.redhat.com/2293304
Vendor advisory: alma — https://bugzilla.redhat.com/2293273
Vendor advisory: alma — https://bugzilla.redhat.com/2293270
Vendor advisory: alma — https://bugzilla.redhat.com/2293247
Vendor advisory: alma — https://bugzilla.redhat.com/2284634
Vendor advisory: alma — https://bugzilla.redhat.com/2284630
Vendor advisory: alma — https://bugzilla.redhat.com/2284628
Vendor advisory: alma — https://bugzilla.redhat.com/2284596
Vendor advisory: alma — https://bugzilla.redhat.com/2284545
Vendor advisory: alma — https://bugzilla.redhat.com/2284515
Vendor advisory: alma — https://bugzilla.redhat.com/2284511
Vendor advisory: alma — https://bugzilla.redhat.com/2284271
Vendor advisory: alma — https://bugzilla.redhat.com/2283424
Vendor advisory: alma — https://bugzilla.redhat.com/2283389
Vendor advisory: alma — https://bugzilla.redhat.com/2282918
Vendor advisory: alma — https://bugzilla.redhat.com/2282903
Vendor advisory: alma — https://bugzilla.redhat.com/2282890
Vendor advisory: alma — https://bugzilla.redhat.com/2282851
Vendor advisory: alma — https://bugzilla.redhat.com/2282764
Vendor advisory: alma — https://bugzilla.redhat.com/2282757
Vendor advisory: alma — https://bugzilla.redhat.com/2282676
Vendor advisory: alma — https://bugzilla.redhat.com/2282669
Vendor advisory: alma — https://bugzilla.redhat.com/2282648
Vendor advisory: alma — https://bugzilla.redhat.com/2282511
Vendor advisory: alma — https://bugzilla.redhat.com/2282508
Vendor advisory: alma — https://bugzilla.redhat.com/2282440
Vendor advisory: alma — https://bugzilla.redhat.com/2282422
Vendor advisory: alma — https://bugzilla.redhat.com/2282401
Vendor advisory: alma — https://bugzilla.redhat.com/2282366
Vendor advisory: alma — https://bugzilla.redhat.com/2282357
Vendor advisory: alma — https://bugzilla.redhat.com/2282356
Vendor advisory: alma — https://bugzilla.redhat.com/2282355
Vendor advisory: alma — https://bugzilla.redhat.com/2282354
Vendor advisory: alma — https://bugzilla.redhat.com/2282345
Vendor advisory: alma — https://bugzilla.redhat.com/2282324
Vendor advisory: alma — https://bugzilla.redhat.com/2281847
Vendor advisory: alma — https://bugzilla.redhat.com/2281807
Vendor advisory: alma — https://bugzilla.redhat.com/2281720
Vendor advisory: alma — https://bugzilla.redhat.com/2281704
Vendor advisory: alma — https://bugzilla.redhat.com/2281317
Vendor advisory: alma — https://bugzilla.redhat.com/2281217
Vendor advisory: alma — https://bugzilla.redhat.com/2278447
Vendor advisory: alma — https://bugzilla.redhat.com/2278270
Vendor advisory: alma — https://bugzilla.redhat.com/2278220
Vendor advisory: alma — https://bugzilla.redhat.com/2277171
Vendor advisory: alma — https://bugzilla.redhat.com/2275742
Vendor advisory: alma — https://bugzilla.redhat.com/2275690
Vendor advisory: alma — https://bugzilla.redhat.com/2275661
Vendor advisory: alma — https://bugzilla.redhat.com/2275558
Vendor advisory: alma — https://bugzilla.redhat.com/2273180
Vendor advisory: alma — https://bugzilla.redhat.com/2273148
Vendor advisory: alma — https://bugzilla.redhat.com/2273141
Vendor advisory: alma — https://bugzilla.redhat.com/2272793
Vendor advisory: alma — https://bugzilla.redhat.com/2271796
Vendor advisory: alma — https://bugzilla.redhat.com/2271648
Vendor advisory: alma — https://bugzilla.redhat.com/2270103
Vendor advisory: alma — https://bugzilla.redhat.com/2268295
Vendor advisory: alma — https://bugzilla.redhat.com/2267925
Vendor advisory: alma — https://bugzilla.redhat.com/2267916
Vendor advisory: alma — https://bugzilla.redhat.com/2267795
Vendor advisory: alma — https://bugzilla.redhat.com/2267041
Vendor advisory: alma — https://bugzilla.redhat.com/2267036
Vendor advisory: alma — https://bugzilla.redhat.com/2266750
Vendor advisory: alma — https://bugzilla.redhat.com/2266358
Vendor advisory: alma — https://bugzilla.redhat.com/2265838
Vendor advisory: alma — https://bugzilla.redhat.com/2265799
Vendor advisory: alma — https://bugzilla.redhat.com/2260038
Vendor advisory: alma — https://bugzilla.redhat.com/2258013
Vendor advisory: alma — https://bugzilla.redhat.com/2258012
Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2024:7000
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-40958
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:5363
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2024-40958.html
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:7001
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:7000
Vendor advisory: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 — https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0
Vendor advisory: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 — https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876
Vendor advisory: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 — https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940
Vendor advisory: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 — https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b
Vendor advisory: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 — https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55
Vendor advisory: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 — https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b
Vendor advisory: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 — https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef
Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2024:5363
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| rocky | 8 | fixed | |
| sles | affected | | |
| rocky | 9 | fixed | |
| debian | bookworm | fixed | 6.1.99-1 |
| debian | bullseye | fixed | 5.10.221-1 |
| debian | forky | fixed | 6.9.7-1 |
| debian | sid | fixed | 6.9.7-1 |
| debian | trixie | fixed | 6.9.7-1 |
| linux-kernel | affected | 5.4.279 | |
| linux-kernel | 6.10 | affected | |
| almalinux | 8 | fixed | kernel-abi-stablelists-4.18.0-553.22.1.el8_10.noarch.rpm |
| almalinux | 9 | fixed | kernel-doc-5.14.0-427.31.1.el9_4.noarch.rpm |
References
- https://access.redhat.com/errata/RHSA-2024:5363
- https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef
- https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b
- https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55
- https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b
- https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940
- https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876
- https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://cert-portal.siemens.com/productcert/html/ssa-265688.html
- https://cert-portal.siemens.com/productcert/html/ssa-355557.html
- https://cert-portal.siemens.com/productcert/html/ssa-613116.html
- https://errata.rockylinux.org/RLSA-2024:7000
- https://errata.rockylinux.org/RLSA-2024:7001
- https://www.suse.com/security/cve/CVE-2024-40958.html
- https://errata.rockylinux.org/RLSA-2024:5363
- https://security-tracker.debian.org/tracker/CVE-2024-40958
- https://access.redhat.com/errata/RHSA-2024:7000
- https://bugzilla.redhat.com/2258012
- https://bugzilla.redhat.com/2258013
- https://bugzilla.redhat.com/2260038
- https://bugzilla.redhat.com/2265799
- https://bugzilla.redhat.com/2265838
- https://bugzilla.redhat.com/2266358
- https://bugzilla.redhat.com/2266750
CWEs
CWE-416
Verify integrity in audit chain (admin only). AS-IS.