{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-49952", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-10-21T12:17:06.047Z", "datePublished": "2024-10-21T18:02:07.718Z", "dateUpdated": "2025-05-04T09:42:12.165Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:42:12.165Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prevent nf_skb_duplicated corruption\n\nsyzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write\nper-cpu variable nf_skb_duplicated in an unsafe way [1].\n\nDisabling preemption as hinted by the splat is not enough,\nwe have to disable soft interrupts as well.\n\n[1]\nBUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316\n caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\nCPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:93 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n  check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49\n  nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\n  nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30\n  expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n  nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288\n  nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n  nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\n  nf_hook+0x2c4/0x450 include/linux/netfilter.h:269\n  NF_HOOK_COND include/linux/netfilter.h:302 [inline]\n  ip_output+0x185/0x230 net/ipv4/ip_output.c:433\n  ip_local_out net/ipv4/ip_output.c:129 [inline]\n  ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495\n  udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981\n  udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n  ___sys_sendmsg net/socket.c:2651 [inline]\n  __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737\n  __do_sys_sendmmsg net/socket.c:2766 [inline]\n  __se_sys_sendmmsg net/socket.c:2763 [inline]\n  __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f4ce4f7def9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133\nRAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9\nRDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006\nRBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68\n </TASK>"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/netfilter/nf_dup_ipv4.c", "net/ipv6/netfilter/nf_dup_ipv6.c"], "versions": [{"version": "d877f07112f1e5a247c6b585c971a93895c9f738", "lessThan": "50067d8b3f48e4cd4c9e817d3e9a5b5ff3507ca7", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1e5a247c6b585c971a93895c9f738", "lessThan": "c0add6ed2cf1c4733cd489efc61faeccd3433b41", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1e5a247c6b585c971a93895c9f738", "lessThan": "531754952f5dfc4b141523088147071d6e6112c4", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1e5a247c6b585c971a93895c9f738", "lessThan": "38e3fd0c4a2616052eb3c8f4e6f32d1ff47cd663", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1e5a247c6b585c971a93895c9f738", "lessThan": "b40b027a0c0cc1cb9471a13f9730bb2fff12a15b", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1e5a247c6b585c971a93895c9f738", "lessThan": "4e3542f40f3a94efa59ea328e307c50601ed7065", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1e5a247c6b585c971a93895c9f738", "lessThan": "f839c5cd348201fec440d987cbca9b979bdb4fa7", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1e5a247c6b585c971a93895c9f738", "lessThan": "752e1924604254f1708f3e3700283a86ebdd325d", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1e5a247c6b585c971a93895c9f738", "lessThan": "92ceba94de6fb4cee2bf40b485979c342f44a492", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/netfilter/nf_dup_ipv4.c", "net/ipv6/netfilter/nf_dup_ipv6.c"], "versions": [{"version": "4.3", "status": "affected"}, {"version": "0", "lessThan": "4.3", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.323", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.285", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.227", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.168", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.113", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.55", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10.14", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.3", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "4.19.323"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.4.285"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.10.227"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.15.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.1.113"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.6.55"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.10.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.11.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.12"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/50067d8b3f48e4cd4c9e817d3e9a5b5ff3507ca7"}, {"url": "https://git.kernel.org/stable/c/c0add6ed2cf1c4733cd489efc61faeccd3433b41"}, {"url": "https://git.kernel.org/stable/c/531754952f5dfc4b141523088147071d6e6112c4"}, {"url": "https://git.kernel.org/stable/c/38e3fd0c4a2616052eb3c8f4e6f32d1ff47cd663"}, {"url": "https://git.kernel.org/stable/c/b40b027a0c0cc1cb9471a13f9730bb2fff12a15b"}, {"url": "https://git.kernel.org/stable/c/4e3542f40f3a94efa59ea328e307c50601ed7065"}, {"url": "https://git.kernel.org/stable/c/f839c5cd348201fec440d987cbca9b979bdb4fa7"}, {"url": "https://git.kernel.org/stable/c/752e1924604254f1708f3e3700283a86ebdd325d"}, {"url": "https://git.kernel.org/stable/c/92ceba94de6fb4cee2bf40b485979c342f44a492"}], "title": "netfilter: nf_tables: prevent nf_skb_duplicated corruption", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49952", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T13:36:15.803620Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:38:48.971Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-49952", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-10-21T12:17:06.047Z", "datePublished": "2024-10-21T18:02:07.718Z", "dateUpdated": "2024-10-21T18:02:07.718Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-10-21T18:02:07.718Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prevent nf_skb_duplicated corruption\n\nsyzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write\nper-cpu variable nf_skb_duplicated in an unsafe way [1].\n\nDisabling preemption as hinted by the splat is not enough,\nwe have to disable soft interrupts as well.\n\n[1]\nBUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316\n caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\nCPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:93 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n  check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49\n  nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\n  nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30\n  expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n  nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288\n  nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n  nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\n  nf_hook+0x2c4/0x450 include/linux/netfilter.h:269\n  NF_HOOK_COND include/linux/netfilter.h:302 [inline]\n  ip_output+0x185/0x230 net/ipv4/ip_output.c:433\n  ip_local_out net/ipv4/ip_output.c:129 [inline]\n  ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495\n  udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981\n  udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n  ___sys_sendmsg net/socket.c:2651 [inline]\n  __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737\n  __do_sys_sendmmsg net/socket.c:2766 [inline]\n  __se_sys_sendmmsg net/socket.c:2763 [inline]\n  __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f4ce4f7def9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133\nRAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9\nRDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006\nRBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68\n </TASK>"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/netfilter/nf_dup_ipv4.c", "net/ipv6/netfilter/nf_dup_ipv6.c"], "versions": [{"version": "d877f07112f1", "lessThan": "531754952f5d", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1", "lessThan": "38e3fd0c4a26", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1", "lessThan": "b40b027a0c0c", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1", "lessThan": "4e3542f40f3a", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1", "lessThan": "f839c5cd3482", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1", "lessThan": "752e19246042", "status": "affected", "versionType": "git"}, {"version": "d877f07112f1", "lessThan": "92ceba94de6f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/netfilter/nf_dup_ipv4.c", "net/ipv6/netfilter/nf_dup_ipv6.c"], "versions": [{"version": "4.3", "status": "affected"}, {"version": "0", "lessThan": "4.3", "status": "unaffected", "versionType": "custom"}, {"version": "5.10.227", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.168", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.113", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.55", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10.14", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.11.3", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.12-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/531754952f5dfc4b141523088147071d6e6112c4"}, {"url": "https://git.kernel.org/stable/c/38e3fd0c4a2616052eb3c8f4e6f32d1ff47cd663"}, {"url": "https://git.kernel.org/stable/c/b40b027a0c0cc1cb9471a13f9730bb2fff12a15b"}, {"url": "https://git.kernel.org/stable/c/4e3542f40f3a94efa59ea328e307c50601ed7065"}, {"url": "https://git.kernel.org/stable/c/f839c5cd348201fec440d987cbca9b979bdb4fa7"}, {"url": "https://git.kernel.org/stable/c/752e1924604254f1708f3e3700283a86ebdd325d"}, {"url": "https://git.kernel.org/stable/c/92ceba94de6fb4cee2bf40b485979c342f44a492"}], "title": "netfilter: nf_tables: prevent nf_skb_duplicated corruption", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49952", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T13:36:15.803620Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2024-10-22T13:36:19.021Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DEAA99E9-44C6-4908-AE62-9763660B744F", "versionEndExcluding": "4.19.323", "versionStartIncluding": "4.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5A89369-320F-47FC-8695-56F61F87E4C0", "versionEndExcluding": "5.4.285", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "795A3EE6-0CAB-4409-A903-151C94ACECC0", "versionEndExcluding": "5.10.227", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D51C05D-455B-4D8D-89E7-A58E140B864C", "versionEndExcluding": "5.15.168", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D01BD22E-ACD1-4618-9D01-6116570BE1EE", "versionEndExcluding": "6.1.113", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E90B9576-56C4-47BC-AAB0-C5B2D438F5D0", "versionEndExcluding": "6.6.55", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C16BCE0-FFA0-4599-BE0A-1FD65101C021", "versionEndExcluding": "6.10.14", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "54D9C704-D679-41A7-9C40-10A6B1E7FFE9", "versionEndExcluding": "6.11.3", "versionStartIncluding": "6.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prevent nf_skb_duplicated corruption\n\nsyzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write\nper-cpu variable nf_skb_duplicated in an unsafe way [1].\n\nDisabling preemption as hinted by the splat is not enough,\nwe have to disable soft interrupts as well.\n\n[1]\nBUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316\n caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\nCPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:93 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n  check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49\n  nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\n  nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30\n  expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n  nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288\n  nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n  nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\n  nf_hook+0x2c4/0x450 include/linux/netfilter.h:269\n  NF_HOOK_COND include/linux/netfilter.h:302 [inline]\n  ip_output+0x185/0x230 net/ipv4/ip_output.c:433\n  ip_local_out net/ipv4/ip_output.c:129 [inline]\n  ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495\n  udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981\n  udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n  ___sys_sendmsg net/socket.c:2651 [inline]\n  __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737\n  __do_sys_sendmmsg net/socket.c:2766 [inline]\n  __se_sys_sendmmsg net/socket.c:2763 [inline]\n  __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f4ce4f7def9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133\nRAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9\nRDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006\nRBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68\n </TASK>"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_tables: prevent nf_skb_duplicated democracy syzbot encontr\u00f3 que nf_dup_ipv4() o nf_dup_ipv6() podr\u00edan escribir la variable por CPU nf_skb_duplicated de una manera insegura [1]. Deshabilitar la preempci\u00f3n como lo sugiere el splat no es suficiente, tambi\u00e9n tenemos que deshabilitar las interrupciones suaves. [1] ERROR: uso de __this_cpu_write() en c\u00f3digo preemptible [00000000]: syz.4.282/6316 el llamador es nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 No contaminado 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Seguimiento de llamadas:  __dump_stack lib/dump_stack.c:93 [en l\u00ednea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49 nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [en l\u00ednea] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn incluye/linux/netfilter.h:154 [en l\u00ednea] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook+0x2c4/0x450 incluye/linux/netfilter.h:269 NF_HOOK_COND incluye/linux/netfilter.h:302 [en l\u00ednea] ip_output+0x185/0x230 net/ipv4/ip_output.c:433 ip_local_out net/ipv4/ip_output.c:129 [en l\u00ednea] ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495 udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981 udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269 sock_sendmsg_nosec net/socket.c:730 [en l\u00ednea] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [en l\u00ednea] __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737 __do_sys_sendmmsg net/socket.c:2766 [en l\u00ednea] __se_sys_sendmmsg net/socket.c:2763 [en l\u00ednea] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f4ce4f7def9 C\u00f3digo: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 &lt;48&gt; 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9 RDX: 00000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006 RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68 "}], "id": "CVE-2024-49952", "lastModified": "2024-11-13T00:46:03.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-10-21T18:15:16.590", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/38e3fd0c4a2616052eb3c8f4e6f32d1ff47cd663"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4e3542f40f3a94efa59ea328e307c50601ed7065"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/50067d8b3f48e4cd4c9e817d3e9a5b5ff3507ca7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/531754952f5dfc4b141523088147071d6e6112c4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/752e1924604254f1708f3e3700283a86ebdd325d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/92ceba94de6fb4cee2bf40b485979c342f44a492"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b40b027a0c0cc1cb9471a13f9730bb2fff12a15b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c0add6ed2cf1c4733cd489efc61faeccd3433b41"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f839c5cd348201fec440d987cbca9b979bdb4fa7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: netfilter: nf_tables: prevent nf_skb_duplicated corruption", "id": "2320482", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2320482"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-284", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: nf_tables: prevent nf_skb_duplicated corruption\nsyzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write\nper-cpu variable nf_skb_duplicated in an unsafe way [1].\nDisabling preemption as hinted by the splat is not enough,\nwe have to disable soft interrupts as well.\n[1]\nBUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316\ncaller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\nCPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:93 [inline]\ndump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\ncheck_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49\nnf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\nnft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30\nexpr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\nnft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288\nnft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23\nnf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\nnf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\nnf_hook+0x2c4/0x450 include/linux/netfilter.h:269\nNF_HOOK_COND include/linux/netfilter.h:302 [inline]\nip_output+0x185/0x230 net/ipv4/ip_output.c:433\nip_local_out net/ipv4/ip_output.c:129 [inline]\nip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495\nudp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981\nudp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0x1a6/0x270 net/socket.c:745\n____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n___sys_sendmsg net/socket.c:2651 [inline]\n__sys_sendmmsg+0x3b2/0x740 net/socket.c:2737\n__do_sys_sendmmsg net/socket.c:2766 [inline]\n__se_sys_sendmmsg net/socket.c:2763 [inline]\n__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f4ce4f7def9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133\nRAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9\nRDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006\nRBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68\n</TASK>"], "mitigation": {"lang": "en:us", "value": "1. This flaw can be mitigated by preventing the affected netfilter (nf_tables) kernel module from being loaded. For instructions on how to blacklist a kernel module, please see https://access.redhat.com/solutions/41278.\n2. If the module cannot be disabled, on non-containerized deployments of Red Hat Enterprise Linux, the mitigation is to disable user namespaces:\n```\n# echo \"user.max_user_namespaces=0\" > /etc/sysctl.d/userns.conf\n# sysctl -p /etc/sysctl.d/userns.conf\n```\nOn containerized deployments, such as Red Hat OpenShift Container Platform, do not use the second mitigation (disabling user namespaces) as the functionality is needed to be enabled. The first mitigation (blacklisting nf_tables) is still viable for containerized deployments, providing the environment is not using netfilter."}, "name": "CVE-2024-49952", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-49952\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-49952\nhttps://lore.kernel.org/linux-cve-announce/2024102130-CVE-2024-49952-4b61@gregkh/T"], "statement": "Only local users with `CAP_NET_ADMIN` capability (or root) can trigger this issue. \nOn Red Hat Enterprise Linux, local unprivileged users can exploit unprivileged user namespaces (CONFIG_USER_NS) to grant themselves this capability.\nThe OpenShift Container Platform (OCP) control planes or master machines are based on Red Hat Enterprise Linux CoreOS (RHCOS) that consists primarily of RHEL components, hence is also affected by this kernel vulnerability. Like it is mentioned earlier, the successful exploit needs necessary privileges (CAP_NET_ADMIN) and direct, local access . Local user in RHCOS is already a root with full permissions, hence existence of this vulnerability does not bring any value from the potential attacker perspective. From the OpenShift containers perspective, this vulnerability cannot be exploited as in OpenShift the cluster processes on the node are namespaced, which means that switching in the running OpenShift container the namespace will not bring necessary capabilities.\nThis means that for OpenShift, the impact of this vulnerability is Low.\nSimilar to CVE-2023-32233 vulnerability has been explained in the following blog post as an example of \"Container escape vulnerability\":\nhttps://www.redhat.com/en/blog/containers-vulnerability-risk-assessment", "threat_severity": "Moderate"}