CVE-2024-57795 Information
Description
In the Linux kernel the following vulnerability has been resolved:
RDMA/rxe: Remove the direct link to net_device
The similar patch in siw is in the link: https://git.kernel.org/rdma/rdma/c/16b87037b48889
This problem also occurred in RXE. The following analyze this problem. In the following Call Traces: \nBUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295
CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted
6.12.0-rc3-syzkaller-00399-g9197b73fd7bb 0
Hardware name: Google Compute Engine/Google Compute Engine
BIOS Google 09/13/2024
Workqueue: infiniband ib_cache_event_task
Call Trace:
\n infiniband syz2: set down \n This means that on 839.350575 the event ib_cache_event_task was sent andi queued in ib_wq.
2). In the link [1]
\n team0 (unregistering): Port device team_slave_0 removed \n It indicates that before 843.251853 the net device should be freed.
3). In the link [1]
\n BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 \n This means that on 850.559070 this slab-use-after-free problem occurred.
In all on 839.350575 the event ib_cache_event_task was sent and queued in ib_wq
before 843.251853 the net device veth was freed.
on 850.559070 this event was executed and the mentioned freed net device was called. Thus the above call trace occurred.
[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000
Reference
https://git.kernel.org/stable/c/2ac5415022d16d63d912a39a06f32f1f51140261 https://git.kernel.org/stable/c/9f6f54e6a6863131442b40e14d1792b090c7ce21
Share on: