{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-53140", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-11-19T17:17:24.997Z", "datePublished": "2024-12-04T14:20:44.914Z", "dateUpdated": "2024-12-19T09:40:09.982Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:40:09.982Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: terminate outstanding dump on socket close\n\nNetlink supports iterative dumping of data. It provides the families\nthe following ops:\n - start - (optional) kicks off the dumping process\n - dump - actual dump helper, keeps getting called until it returns 0\n - done - (optional) pairs with .start, can be used for cleanup\nThe whole process is asynchronous and the repeated calls to .dump\ndon't actually happen in a tight loop, but rather are triggered\nin response to recvmsg() on the socket.\n\nThis gives the user full control over the dump, but also means that\nthe user can close the socket without getting to the end of the dump.\nTo make sure .start is always paired with .done we check if there\nis an ongoing dump before freeing the socket, and if so call .done.\n\nThe complication is that sockets can get freed from BH and .done\nis allowed to sleep. So we use a workqueue to defer the call, when\nneeded.\n\nUnfortunately this does not work correctly. What we defer is not\nthe cleanup but rather releasing a reference on the socket.\nWe have no guarantee that we own the last reference, if someone\nelse holds the socket they may release it in BH and we're back\nto square one.\n\nThe whole dance, however, appears to be unnecessary. Only the user\ncan interact with dumps, so we can clean up when socket is closed.\nAnd close always happens in process context. Some async code may\nstill access the socket after close, queue notification skbs to it etc.\nbut no dumps can start, end or otherwise make progress.\n\nDelete the workqueue and flush the dump state directly from the release\nhandler. Note that further cleanup is possible in -next, for instance\nwe now always call .done before releasing the main module reference,\nso dump doesn't have to take a reference of its own."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netlink/af_netlink.c", "net/netlink/af_netlink.h"], "versions": [{"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "lessThan": "114a61d8d94ae3a43b82446cf737fd757021b834", "status": "affected", "versionType": "git"}, {"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "lessThan": "598c956b62699c3753929602560d8df322e60559", "status": "affected", "versionType": "git"}, {"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "lessThan": "6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4", "status": "affected", "versionType": "git"}, {"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "lessThan": "d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603", "status": "affected", "versionType": "git"}, {"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "lessThan": "4e87a52133284afbd40fb522dbf96e258af52a98", "status": "affected", "versionType": "git"}, {"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "lessThan": "bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca", "status": "affected", "versionType": "git"}, {"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "lessThan": "176c41b3ca9281a9736b67c6121b03dbf0c8c08f", "status": "affected", "versionType": "git"}, {"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "lessThan": "1904fb9ebf911441f90a68e96b22aa73e4410505", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netlink/af_netlink.c", "net/netlink/af_netlink.h"], "versions": [{"version": "4.9", "status": "affected"}, {"version": "0", "lessThan": "4.9", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.325", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.287", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.231", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.174", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.119", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.63", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.10", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/114a61d8d94ae3a43b82446cf737fd757021b834"}, {"url": "https://git.kernel.org/stable/c/598c956b62699c3753929602560d8df322e60559"}, {"url": "https://git.kernel.org/stable/c/6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4"}, {"url": "https://git.kernel.org/stable/c/d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603"}, {"url": "https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258af52a98"}, {"url": "https://git.kernel.org/stable/c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca"}, {"url": "https://git.kernel.org/stable/c/176c41b3ca9281a9736b67c6121b03dbf0c8c08f"}, {"url": "https://git.kernel.org/stable/c/1904fb9ebf911441f90a68e96b22aa73e4410505"}], "title": "netlink: terminate outstanding dump on socket close", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5248A519-0AF6-4AC1-8ECE-37F8CD8EBC14", "versionEndExcluding": "4.5", "versionStartIncluding": "4.4.38", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F21838E0-EAFD-46C4-BBE5-5A923017C905", "versionEndExcluding": "4.9", "versionStartIncluding": "4.8.14", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7CBFDD0-07CC-4753-80B2-E08589BDD9EF", "versionEndExcluding": "6.1.119", "versionStartIncluding": "4.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8800BB45-48BC-4B52-BDA5-B1E4633F42E5", "versionEndExcluding": "6.6.63", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C256F46A-AFDD-4B99-AA4F-67D9D9D2C55A", "versionEndExcluding": "6.11.10", "versionStartIncluding": "6.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: terminate outstanding dump on socket close\n\nNetlink supports iterative dumping of data. It provides the families\nthe following ops:\n - start - (optional) kicks off the dumping process\n - dump - actual dump helper, keeps getting called until it returns 0\n - done - (optional) pairs with .start, can be used for cleanup\nThe whole process is asynchronous and the repeated calls to .dump\ndon't actually happen in a tight loop, but rather are triggered\nin response to recvmsg() on the socket.\n\nThis gives the user full control over the dump, but also means that\nthe user can close the socket without getting to the end of the dump.\nTo make sure .start is always paired with .done we check if there\nis an ongoing dump before freeing the socket, and if so call .done.\n\nThe complication is that sockets can get freed from BH and .done\nis allowed to sleep. So we use a workqueue to defer the call, when\nneeded.\n\nUnfortunately this does not work correctly. What we defer is not\nthe cleanup but rather releasing a reference on the socket.\nWe have no guarantee that we own the last reference, if someone\nelse holds the socket they may release it in BH and we're back\nto square one.\n\nThe whole dance, however, appears to be unnecessary. Only the user\ncan interact with dumps, so we can clean up when socket is closed.\nAnd close always happens in process context. Some async code may\nstill access the socket after close, queue notification skbs to it etc.\nbut no dumps can start, end or otherwise make progress.\n\nDelete the workqueue and flush the dump state directly from the release\nhandler. Note that further cleanup is possible in -next, for instance\nwe now always call .done before releasing the main module reference,\nso dump doesn't have to take a reference of its own."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netlink: termina el volcado pendiente al cerrar el socket Netlink admite el volcado iterativo de datos. Proporciona a las familias las siguientes operaciones: - start - (opcional) inicia el proceso de volcado - dump - asistente de volcado real, se sigue llamando hasta que devuelve 0 - done - (opcional) se empareja con .start, se puede usar para limpieza Todo el proceso es asincr\u00f3nico y las llamadas repetidas a .dump en realidad no ocurren en un bucle cerrado, sino que se activan en respuesta a recvmsg() en el socket. Esto le da al usuario control total sobre el volcado, pero tambi\u00e9n significa que el usuario puede cerrar el socket sin llegar al final del volcado. Para asegurarnos de que .start siempre est\u00e9 emparejado con .done, verificamos si hay un volcado en curso antes de liberar el socket y, si es as\u00ed, llamamos a .done. La complicaci\u00f3n es que los sockets pueden liberarse de BH y se permite que .done duerma. Entonces, usamos una cola de trabajo para diferir la llamada, cuando sea necesario. Lamentablemente, esto no funciona correctamente. Lo que postergamos no es la limpieza, sino la liberaci\u00f3n de una referencia en el socket. No tenemos garant\u00eda de que seamos due\u00f1os de la \u00faltima referencia; si alguien m\u00e1s tiene el socket, puede liberarlo en BH y volvemos al punto de partida. Sin embargo, todo el baile parece ser innecesario. Solo el usuario puede interactuar con los volcados, por lo que podemos limpiar cuando se cierra el socket. Y el cierre siempre ocurre en el contexto del proceso. Es posible que alg\u00fan c\u00f3digo asincr\u00f3nico a\u00fan acceda al socket despu\u00e9s del cierre, ponga en cola skbs de notificaci\u00f3n, etc., pero ning\u00fan volcado puede comenzar, finalizar o avanzar de otro modo. Elimine la cola de trabajo y vac\u00ede el estado del volcado directamente desde el controlador de liberaci\u00f3n. Tenga en cuenta que es posible realizar una desinfecci\u00f3n adicional en -next, por ejemplo, ahora siempre llamamos a .done antes de liberar la referencia del m\u00f3dulo principal, por lo que el volcado no tiene que tomar una referencia propia."}], "id": "CVE-2024-53140", "lastModified": "2024-12-14T21:15:38.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-12-04T15:15:16.803", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/114a61d8d94ae3a43b82446cf737fd757021b834"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/176c41b3ca9281a9736b67c6121b03dbf0c8c08f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1904fb9ebf911441f90a68e96b22aa73e4410505"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258af52a98"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/598c956b62699c3753929602560d8df322e60559"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: netlink: terminate outstanding dump on socket close", "id": "2330345", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2330345"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnetlink: terminate outstanding dump on socket close\nNetlink supports iterative dumping of data. It provides the families\nthe following ops:\n- start - (optional) kicks off the dumping process\n- dump - actual dump helper, keeps getting called until it returns 0\n- done - (optional) pairs with .start, can be used for cleanup\nThe whole process is asynchronous and the repeated calls to .dump\ndon't actually happen in a tight loop, but rather are triggered\nin response to recvmsg() on the socket.\nThis gives the user full control over the dump, but also means that\nthe user can close the socket without getting to the end of the dump.\nTo make sure .start is always paired with .done we check if there\nis an ongoing dump before freeing the socket, and if so call .done.\nThe complication is that sockets can get freed from BH and .done\nis allowed to sleep. So we use a workqueue to defer the call, when\nneeded.\nUnfortunately this does not work correctly. What we defer is not\nthe cleanup but rather releasing a reference on the socket.\nWe have no guarantee that we own the last reference, if someone\nelse holds the socket they may release it in BH and we're back\nto square one.\nThe whole dance, however, appears to be unnecessary. Only the user\ncan interact with dumps, so we can clean up when socket is closed.\nAnd close always happens in process context. Some async code may\nstill access the socket after close, queue notification skbs to it etc.\nbut no dumps can start, end or otherwise make progress.\nDelete the workqueue and flush the dump state directly from the release\nhandler. Note that further cleanup is possible in -next, for instance\nwe now always call .done before releasing the main module reference,\nso dump doesn't have to take a reference of its own."], "name": "CVE-2024-53140", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-12-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-53140\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53140\nhttps://lore.kernel.org/linux-cve-announce/2024120453-CVE-2024-53140-6ecf@gregkh/T"], "threat_severity": "Low"}