CVE-2024-39293 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: Revert "xsk: Support redirect to any socket bound to the same umem" This reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db. This patch introduced a potential kernel crash when multiple napi instances redirect to the same AF_XDP socket. By removing the queue_index check, it is possible for multiple napi instances to access the Rx ring at the same time, which will result in a corrupted ring state which can lead to a crash when flushing the rings in __xsk_flush(). This can happen when the linked list of sockets to flush gets corrupted by concurrent accesses. A quick and small fix is not possible, so let us revert this for now.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5
https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2
https://lore.kernel.org/linux-cve-announce/2024062548-CVE-2024-39293-d42a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-39293
https://www.cve.org/CVERecord?id=CVE-2024-39293

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-06-25T14:22:39.550Z

Updated: 2025-02-27T01:57:24.185Z

Reserved: 2024-06-24T13:53:25.541Z

Link: CVE-2024-39293

Vulnrichment

Updated: 2024-08-02T04:19:20.676Z

NVD

Status : Awaiting Analysis

Published: 2024-06-25T15:15:13.993

Modified: 2024-11-21T09:27:24.390

Link: CVE-2024-39293

Redhat

Severity : Moderate

Publid Date: 2024-06-25T00:00:00Z

Links: CVE-2024-39293 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39293", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-06-24T13:53:25.541Z", "datePublished": "2024-06-25T14:22:39.550Z", "dateUpdated": "2025-02-27T01:57:24.185Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-02-27T01:57:24.185Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"xsk: Support redirect to any socket bound to the same umem\"\n\nThis reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db.\n\nThis patch introduced a potential kernel crash when multiple napi instances\nredirect to the same AF_XDP socket. By removing the queue_index check, it is\npossible for multiple napi instances to access the Rx ring at the same time,\nwhich will result in a corrupted ring state which can lead to a crash when\nflushing the rings in __xsk_flush(). This can happen when the linked list of\nsockets to flush gets corrupted by concurrent accesses. A quick and small fix\nis not possible, so let us revert this for now."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xdp/xsk.c"], "versions": [{"version": "2863d665ea41282379f108e4da6c8a2366ba66db", "lessThan": "19cb40b1064566ea09538289bfcf5bc7ecb9b6f5", "status": "affected", "versionType": "git"}, {"version": "2863d665ea41282379f108e4da6c8a2366ba66db", "lessThan": "7fcf26b315bbb728036da0862de6b335da83dff2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xdp/xsk.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.9.5", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5"}, {"url": "https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2"}], "title": "Revert \"xsk: Support redirect to any socket bound to the same umem\"", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-25T20:47:03.644056Z", "id": "CVE-2024-39293", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-25T20:47:15.195Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:19:20.676Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:19:20.676Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39293", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-25T20:47:03.644056Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-25T20:47:12.408Z"}}], "cna": {"title": "Revert \"xsk: Support redirect to any socket bound to the same umem\"", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2863d665ea41282379f108e4da6c8a2366ba66db", "lessThan": "19cb40b1064566ea09538289bfcf5bc7ecb9b6f5", "versionType": "git"}, {"status": "affected", "version": "2863d665ea41282379f108e4da6c8a2366ba66db", "lessThan": "7fcf26b315bbb728036da0862de6b335da83dff2", "versionType": "git"}], "programFiles": ["net/xdp/xsk.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.9"}, {"status": "unaffected", "version": "0", "lessThan": "6.9", "versionType": "semver"}, {"status": "unaffected", "version": "6.9.5", "versionType": "semver", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/xdp/xsk.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5"}, {"url": "https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"xsk: Support redirect to any socket bound to the same umem\"\n\nThis reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db.\n\nThis patch introduced a potential kernel crash when multiple napi instances\nredirect to the same AF_XDP socket. By removing the queue_index check, it is\npossible for multiple napi instances to access the Rx ring at the same time,\nwhich will result in a corrupted ring state which can lead to a crash when\nflushing the rings in __xsk_flush(). This can happen when the linked list of\nsockets to flush gets corrupted by concurrent accesses. A quick and small fix\nis not possible, so let us revert this for now."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-02-27T01:57:24.185Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39293", "state": "PUBLISHED", "dateUpdated": "2025-02-27T01:57:24.185Z", "dateReserved": "2024-06-24T13:53:25.541Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-06-25T14:22:39.550Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"xsk: Support redirect to any socket bound to the same umem\"\n\nThis reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db.\n\nThis patch introduced a potential kernel crash when multiple napi instances\nredirect to the same AF_XDP socket. By removing the queue_index check, it is\npossible for multiple napi instances to access the Rx ring at the same time,\nwhich will result in a corrupted ring state which can lead to a crash when\nflushing the rings in __xsk_flush(). This can happen when the linked list of\nsockets to flush gets corrupted by concurrent accesses. A quick and small fix\nis not possible, so let us revert this for now."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: Revertir \"xsk: admite redirecci\u00f3n a cualquier socket vinculado al mismo umem\". Esto revierte el commit 2863d665ea41282379f108e4da6c8a2366ba66db. Este parche introdujo un posible fallo del kernel cuando varias instancias de napi se redirigen al mismo socket AF_XDP. Al eliminar la verificaci\u00f3n queue_index, es posible que varias instancias de napi accedan al anillo Rx al mismo tiempo, lo que resultar\u00e1 en un estado de anillo corrupto que puede provocar un bloqueo al vaciar los anillos en __xsk_flush(). Esto puede suceder cuando la lista vinculada de sockets para vaciar se corrompe por accesos simult\u00e1neos. No es posible una soluci\u00f3n r\u00e1pida y peque\u00f1a, as\u00ed que revirtamos esto por ahora."}], "id": "CVE-2024-39293", "lastModified": "2024-11-21T09:27:24.390", "metrics": {}, "published": "2024-06-25T15:15:13.993", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: Revert "xsk: Support redirect to any socket bound to the same umem"", "id": "2294272", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294272"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-99", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nRevert \"xsk: Support redirect to any socket bound to the same umem\"\nThis reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db.\nThis patch introduced a potential kernel crash when multiple napi instances\nredirect to the same AF_XDP socket. By removing the queue_index check, it is\npossible for multiple napi instances to access the Rx ring at the same time,\nwhich will result in a corrupted ring state which can lead to a crash when\nflushing the rings in __xsk_flush(). This can happen when the linked list of\nsockets to flush gets corrupted by concurrent accesses. A quick and small fix\nis not possible, so let us revert this for now."], "name": "CVE-2024-39293", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-06-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-39293\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39293\nhttps://lore.kernel.org/linux-cve-announce/2024062548-CVE-2024-39293-d42a@gregkh/T"], "threat_severity": "Moderate"}