{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-57795", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-01-15T13:08:59.657Z", "datePublished": "2025-01-15T13:10:23.880Z", "dateUpdated": "2025-02-13T14:04:27.443Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-01-20T06:28:16.103Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Remove the direct link to net_device\n\nThe similar patch in siw is in the link:\nhttps://git.kernel.org/rdma/rdma/c/16b87037b48889\n\nThis problem also occurred in RXE. The following analyze this problem.\nIn the following Call Traces:\n\"\nBUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\nRead of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295\n\nCPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted\n6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0\nHardware name: Google Compute Engine/Google Compute Engine,\nBIOS Google 09/13/2024\nWorkqueue: infiniband ib_cache_event_task\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\n rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60\n __ib_query_port drivers/infiniband/core/device.c:2111 [inline]\n ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143\n ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494\n ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f2/0x390 kernel/kthread.c:389\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>\n\"\n\n1). In the link [1],\n\n\"\n infiniband syz2: set down\n\"\n\nThis means that on 839.350575, the event ib_cache_event_task was sent andi\nqueued in ib_wq.\n\n2). In the link [1],\n\n\"\n team0 (unregistering): Port device team_slave_0 removed\n\"\n\nIt indicates that before 843.251853, the net device should be freed.\n\n3). In the link [1],\n\n\"\n BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0\n\"\n\nThis means that on 850.559070, this slab-use-after-free problem occurred.\n\nIn all, on 839.350575, the event ib_cache_event_task was sent and queued\nin ib_wq,\n\nbefore 843.251853, the net device veth was freed.\n\non 850.559070, this event was executed, and the mentioned freed net device\nwas called. Thus, the above call trace occurred.\n\n[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/sw/rxe/rxe.c", "drivers/infiniband/sw/rxe/rxe.h", "drivers/infiniband/sw/rxe/rxe_mcast.c", "drivers/infiniband/sw/rxe/rxe_net.c", "drivers/infiniband/sw/rxe/rxe_verbs.c", "drivers/infiniband/sw/rxe/rxe_verbs.h"], "versions": [{"version": "8700e3e7c4857d28ebaa824509934556da0b3e76", "lessThan": "9f6f54e6a6863131442b40e14d1792b090c7ce21", "status": "affected", "versionType": "git"}, {"version": "8700e3e7c4857d28ebaa824509934556da0b3e76", "lessThan": "2ac5415022d16d63d912a39a06f32f1f51140261", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/sw/rxe/rxe.c", "drivers/infiniband/sw/rxe/rxe.h", "drivers/infiniband/sw/rxe/rxe_mcast.c", "drivers/infiniband/sw/rxe/rxe_net.c", "drivers/infiniband/sw/rxe/rxe_verbs.c", "drivers/infiniband/sw/rxe/rxe_verbs.h"], "versions": [{"version": "4.8", "status": "affected"}, {"version": "0", "lessThan": "4.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.9", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/9f6f54e6a6863131442b40e14d1792b090c7ce21"}, {"url": "https://git.kernel.org/stable/c/2ac5415022d16d63d912a39a06f32f1f51140261"}], "title": "RDMA/rxe: Remove the direct link to net_device", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-57795", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-13T13:56:40.628550Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-13T14:04:27.443Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-57795", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-13T13:56:40.628550Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-13T13:56:41.933Z"}}], "cna": {"title": "RDMA/rxe: Remove the direct link to net_device", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "8700e3e7c4857d28ebaa824509934556da0b3e76", "lessThan": "9f6f54e6a6863131442b40e14d1792b090c7ce21", "versionType": "git"}, {"status": "affected", "version": "8700e3e7c4857d28ebaa824509934556da0b3e76", "lessThan": "2ac5415022d16d63d912a39a06f32f1f51140261", "versionType": "git"}], "programFiles": ["drivers/infiniband/sw/rxe/rxe.c", "drivers/infiniband/sw/rxe/rxe.h", "drivers/infiniband/sw/rxe/rxe_mcast.c", "drivers/infiniband/sw/rxe/rxe_net.c", "drivers/infiniband/sw/rxe/rxe_verbs.c", "drivers/infiniband/sw/rxe/rxe_verbs.h"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.8"}, {"status": "unaffected", "version": "0", "lessThan": "4.8", "versionType": "semver"}, {"status": "unaffected", "version": "6.12.9", "versionType": "semver", "lessThanOrEqual": "6.12.*"}, {"status": "unaffected", "version": "6.13", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/infiniband/sw/rxe/rxe.c", "drivers/infiniband/sw/rxe/rxe.h", "drivers/infiniband/sw/rxe/rxe_mcast.c", "drivers/infiniband/sw/rxe/rxe_net.c", "drivers/infiniband/sw/rxe/rxe_verbs.c", "drivers/infiniband/sw/rxe/rxe_verbs.h"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/9f6f54e6a6863131442b40e14d1792b090c7ce21"}, {"url": "https://git.kernel.org/stable/c/2ac5415022d16d63d912a39a06f32f1f51140261"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Remove the direct link to net_device\n\nThe similar patch in siw is in the link:\nhttps://git.kernel.org/rdma/rdma/c/16b87037b48889\n\nThis problem also occurred in RXE. The following analyze this problem.\nIn the following Call Traces:\n\"\nBUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\nRead of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295\n\nCPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted\n6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0\nHardware name: Google Compute Engine/Google Compute Engine,\nBIOS Google 09/13/2024\nWorkqueue: infiniband ib_cache_event_task\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\n rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60\n __ib_query_port drivers/infiniband/core/device.c:2111 [inline]\n ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143\n ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494\n ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f2/0x390 kernel/kthread.c:389\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>\n\"\n\n1). In the link [1],\n\n\"\n infiniband syz2: set down\n\"\n\nThis means that on 839.350575, the event ib_cache_event_task was sent andi\nqueued in ib_wq.\n\n2). In the link [1],\n\n\"\n team0 (unregistering): Port device team_slave_0 removed\n\"\n\nIt indicates that before 843.251853, the net device should be freed.\n\n3). In the link [1],\n\n\"\n BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0\n\"\n\nThis means that on 850.559070, this slab-use-after-free problem occurred.\n\nIn all, on 839.350575, the event ib_cache_event_task was sent and queued\nin ib_wq,\n\nbefore 843.251853, the net device veth was freed.\n\non 850.559070, this event was executed, and the mentioned freed net device\nwas called. Thus, the above call trace occurred.\n\n[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-01-20T06:28:16.103Z"}}}, "cveMetadata": {"cveId": "CVE-2024-57795", "state": "PUBLISHED", "dateUpdated": "2025-02-13T14:04:27.443Z", "dateReserved": "2025-01-15T13:08:59.657Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2025-01-15T13:10:23.880Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0FDA483C-73E7-44DF-B9FE-73B6812C5458", "versionEndExcluding": "6.12.9", "versionStartIncluding": "4.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*", "matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*", "matchCriteriaId": "034C36A6-C481-41F3-AE9A-D116E5BE6895", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Remove the direct link to net_device\n\nThe similar patch in siw is in the link:\nhttps://git.kernel.org/rdma/rdma/c/16b87037b48889\n\nThis problem also occurred in RXE. The following analyze this problem.\nIn the following Call Traces:\n\"\nBUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\nRead of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295\n\nCPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted\n6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0\nHardware name: Google Compute Engine/Google Compute Engine,\nBIOS Google 09/13/2024\nWorkqueue: infiniband ib_cache_event_task\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\n rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60\n __ib_query_port drivers/infiniband/core/device.c:2111 [inline]\n ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143\n ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494\n ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f2/0x390 kernel/kthread.c:389\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>\n\"\n\n1). In the link [1],\n\n\"\n infiniband syz2: set down\n\"\n\nThis means that on 839.350575, the event ib_cache_event_task was sent andi\nqueued in ib_wq.\n\n2). In the link [1],\n\n\"\n team0 (unregistering): Port device team_slave_0 removed\n\"\n\nIt indicates that before 843.251853, the net device should be freed.\n\n3). In the link [1],\n\n\"\n BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0\n\"\n\nThis means that on 850.559070, this slab-use-after-free problem occurred.\n\nIn all, on 839.350575, the event ib_cache_event_task was sent and queued\nin ib_wq,\n\nbefore 843.251853, the net device veth was freed.\n\non 850.559070, this event was executed, and the mentioned freed net device\nwas called. Thus, the above call trace occurred.\n\n[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000"}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: RDMA/rxe: eliminar el enlace directo a net_device El parche similar en siw se encuentra en el enlace: https://git.kernel.org/rdma/rdma/c/16b87037b48889 Este problema tambi\u00e9n se produjo en RXE. A continuaci\u00f3n se analiza este problema. En los siguientes seguimientos de llamadas: \"ERROR: KASAN: slab-use-after-free en dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff8880554640b0 por la tarea kworker/1:4/5295 CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 No contaminado 6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0 Nombre del hardware: Google Compute Engine/Google Compute Engine, BIOS Google 13/09/2024 Cola de trabajo: infiniband ib_cache_event_task Seguimiento de llamadas: __dump_stack lib/dump_stack.c:94 [en l\u00ednea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 imprimir_direcci\u00f3n_descripci\u00f3n mm/kasan/report.c:377 [en l\u00ednea] imprimir_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60 __ib_query_port drivers/infiniband/core/device.c:2111 [en l\u00ednea] ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143 ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494 ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568 process_one_work kernel/workqueue.c:3229 [en l\u00ednea] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 \" 1). En el enlace [1], \" infiniband syz2: set down \" Esto significa que en 839.350575, se envi\u00f3 el evento ib_cache_event_task y se puso en cola en ib_wq. 2). En el enlace [1], \" team0 (unregistering): Port device team_slave_0 removed \" Esto indica que antes de 843.251853, se debe liberar el dispositivo de red. 3). En el enlace [1], \" BUG: KASAN: slab-use-after-free en dev_get_flags+0x188/0x1d0 \" Esto significa que en 850.559070, ocurri\u00f3 este problema de slab-use-after-free. En total, el 839.350575, se envi\u00f3 el evento ib_cache_event_task y se puso en cola en ib_wq, antes del 843.251853, se liber\u00f3 el dispositivo de red veth. El 850.559070, se ejecut\u00f3 este evento y se llam\u00f3 al dispositivo de red liberado mencionado. Por lo tanto, se produjo el seguimiento de la llamada anterior. [1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000"}], "id": "CVE-2024-57795", "lastModified": "2025-03-24T17:30:57.973", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-15T13:15:11.563", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2ac5415022d16d63d912a39a06f32f1f51140261"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9f6f54e6a6863131442b40e14d1792b090c7ce21"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: RDMA/rxe: Remove the direct link to net_device", "id": "2338215", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2338215"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nRDMA/rxe: Remove the direct link to net_device\nThe similar patch in siw is in the link:\nhttps://git.kernel.org/rdma/rdma/c/16b87037b48889\nThis problem also occurred in RXE. The following analyze this problem.\nIn the following Call Traces:\n\"\nBUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\nRead of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295\nCPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted\n6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0\nHardware name: Google Compute Engine/Google Compute Engine,\nBIOS Google 09/13/2024\nWorkqueue: infiniband ib_cache_event_task\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:377 [inline]\nprint_report+0x169/0x550 mm/kasan/report.c:488\nkasan_report+0x143/0x180 mm/kasan/report.c:601\ndev_get_flags+0x188/0x1d0 net/core/dev.c:8782\nrxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60\n__ib_query_port drivers/infiniband/core/device.c:2111 [inline]\nib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143\nib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494\nib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568\nprocess_one_work kernel/workqueue.c:3229 [inline]\nprocess_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\nworker_thread+0x870/0xd30 kernel/workqueue.c:3391\nkthread+0x2f2/0x390 kernel/kthread.c:389\nret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n</TASK>\n\"\n1). In the link [1],\n\"\ninfiniband syz2: set down\n\"\nThis means that on 839.350575, the event ib_cache_event_task was sent andi\nqueued in ib_wq.\n2). In the link [1],\n\"\nteam0 (unregistering): Port device team_slave_0 removed\n\"\nIt indicates that before 843.251853, the net device should be freed.\n3). In the link [1],\n\"\nBUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0\n\"\nThis means that on 850.559070, this slab-use-after-free problem occurred.\nIn all, on 839.350575, the event ib_cache_event_task was sent and queued\nin ib_wq,\nbefore 843.251853, the net device veth was freed.\non 850.559070, this event was executed, and the mentioned freed net device\nwas called. Thus, the above call trace occurred.\n[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000"], "name": "CVE-2024-57795", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-01-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-57795\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-57795\nhttps://lore.kernel.org/linux-cve-announce/2025011533-CVE-2024-57795-e560@gregkh/T"], "threat_severity": "Moderate"}