{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-35910", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-17T13:50:33.121Z", "datePublished": "2024-05-19T08:35:03.287Z", "dateUpdated": "2025-05-04T09:08:11.069Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:08:11.069Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/inet_connection_sock.h", "include/net/sock.h", "net/ipv4/inet_connection_sock.c", "net/ipv4/tcp.c"], "versions": [{"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "93f0133b9d589cc6e865f254ad9be3e9d8133f50", "status": "affected", "versionType": "git"}, {"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "44e62f5d35678686734afd47c6a421ad30772e7f", "status": "affected", "versionType": "git"}, {"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "e3e27d2b446deb1f643758a0c4731f5c22492810", "status": "affected", "versionType": "git"}, {"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4", "status": "affected", "versionType": "git"}, {"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "91b243de910a9ac8476d40238ab3dbfeedd5b7de", "status": "affected", "versionType": "git"}, {"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "c1ae4d1e76eacddaacb958b67cd942082f800c87", "status": "affected", "versionType": "git"}, {"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "899265c1389fe022802aae73dbf13ee08837a35a", "status": "affected", "versionType": "git"}, {"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/inet_connection_sock.h", "include/net/sock.h", "net/ipv4/inet_connection_sock.c", "net/ipv4/tcp.c"], "versions": [{"version": "4.2", "status": "affected"}, {"version": "0", "lessThan": "4.2", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.312", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.274", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.215", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.154", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.85", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.26", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.5", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "4.19.312"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "5.4.274"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "5.10.215"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "5.15.154"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "6.1.85"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "6.6.26"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "6.8.5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "6.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50"}, {"url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f"}, {"url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810"}, {"url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4"}, {"url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de"}, {"url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87"}, {"url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a"}, {"url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada"}], "title": "tcp: properly terminate timers for kernel sockets", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-05-29T18:25:39.390284Z", "id": "CVE-2024-35910", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-29T19:44:27.885Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.925Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.925Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-35910", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-29T18:25:39.390284Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-29T18:25:45.549Z"}}], "cna": {"title": "tcp: properly terminate timers for kernel sockets", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "93f0133b9d589cc6e865f254ad9be3e9d8133f50", "versionType": "git"}, {"status": "affected", "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "44e62f5d35678686734afd47c6a421ad30772e7f", "versionType": "git"}, {"status": "affected", "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "e3e27d2b446deb1f643758a0c4731f5c22492810", "versionType": "git"}, {"status": "affected", "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4", "versionType": "git"}, {"status": "affected", "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "91b243de910a9ac8476d40238ab3dbfeedd5b7de", "versionType": "git"}, {"status": "affected", "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "c1ae4d1e76eacddaacb958b67cd942082f800c87", "versionType": "git"}, {"status": "affected", "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "899265c1389fe022802aae73dbf13ee08837a35a", "versionType": "git"}, {"status": "affected", "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe", "lessThan": "151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada", "versionType": "git"}], "programFiles": ["include/net/inet_connection_sock.h", "include/net/sock.h", "net/ipv4/inet_connection_sock.c", "net/ipv4/tcp.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.2"}, {"status": "unaffected", "version": "0", "lessThan": "4.2", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.312", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.274", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.215", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.154", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.85", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.26", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.5", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["include/net/inet_connection_sock.h", "include/net/sock.h", "net/ipv4/inet_connection_sock.c", "net/ipv4/tcp.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50"}, {"url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f"}, {"url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810"}, {"url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4"}, {"url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de"}, {"url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87"}, {"url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a"}, {"url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.19.312", "versionStartIncluding": "4.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.274", "versionStartIncluding": "4.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.215", "versionStartIncluding": "4.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.154", "versionStartIncluding": "4.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.85", "versionStartIncluding": "4.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.26", "versionStartIncluding": "4.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8.5", "versionStartIncluding": "4.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.9", "versionStartIncluding": "4.2"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:08:11.069Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35910", "state": "PUBLISHED", "dateUpdated": "2025-05-04T09:08:11.069Z", "dateReserved": "2024-05-17T13:50:33.121Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-19T08:35:03.287Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: termina correctamente los temporizadores para los sockets del kernel. Recibimos varios informes de syzbot sobre los temporizadores tcp que se activan despu\u00e9s de que se han desmantelado las redes correspondientes. Afortunadamente, Josef Bacik pudo provocar el problema con m\u00e1s frecuencia y pudo probar un parche que escrib\u00ed hace dos a\u00f1os. Cuando los sockets TCP est\u00e1n cerrados, llamamos a inet_csk_clear_xmit_timers() para \"detener\" los temporizadores. Se puede llamar a inet_csk_clear_xmit_timers() desde cualquier contexto, incluso cuando se mantiene el bloqueo del socket. Esta es la raz\u00f3n por la que usa sk_stop_timer(), tambi\u00e9n conocido como del_timer(). Esto significa que los cron\u00f3metros en curso podr\u00edan finalizar mucho m\u00e1s tarde. Para los sockets de usuario, esto est\u00e1 bien porque cada temporizador en ejecuci\u00f3n tiene una referencia en el socket, y el socket de usuario tiene una referencia en las redes. Para los sockets del kernel, corremos el riesgo de que la red se libere antes de que se complete el temporizador, porque los sockets del kernel no mantienen referencias en las redes. Este parche agrega la funci\u00f3n inet_csk_clear_xmit_timers_sync() que usa sk_stop_timer_sync() para garantizar que todos los temporizadores finalicen antes de que se libere el socket del kernel. Los m\u00f3dulos que utilizan sockets del kernel los cierran en su controlador netns exit(). Tambi\u00e9n agregue el asistente sock_not_owned_by_me() para obtener soporte LOCKDEP: no se debe llamar a inet_csk_clear_xmit_timers_sync() mientras se mantiene el bloqueo del socket. Es muy posible que podamos revertir en el futuro la confirmaci\u00f3n 3a58f13a881e (\"net: rds: adquirir refcount en sockets TCP\") que intent\u00f3 resolver el problema solo en rds. (net/smc/af_smc.c y net/mptcp/subflow.c tienen c\u00f3digo similar) Probablemente podamos eliminar las pruebas check_net() de tcp_out_of_resources() y __tcp_close() en el futuro."}], "id": "CVE-2024-35910", "lastModified": "2024-11-21T09:21:10.933", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-19T09:15:11.617", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:5102", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5101", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.16.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5255", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kernel-0:4.18.0-477.67.1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-08-13T00:00:00Z"}], "bugzilla": {"description": "kernel: tcp: properly terminate timers for kernel sockets", "id": "2281641", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2281641"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "verified"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ntcp: properly terminate timers for kernel sockets\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future."], "name": "CVE-2024-35910", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-35910\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35910\nhttps://lore.kernel.org/linux-cve-announce/2024051955-CVE-2024-35910-5f95@gregkh/T"], "threat_severity": "Moderate"}

{}