CVE-2024-42108

{"id": "CVE-2024-42108", "cveTags": [], "metrics": {}, "published": "2024-07-30T08:15:03.333", "references": [{"url": "https://git.kernel.org/stable/c/92cbbe7759193e3418f38d0d73f8fe125312c58b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9a0c28efeec6383ef22e97437616b920e7320b67", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rswitch: Avoid use-after-free in rswitch_poll()\n\nThe use-after-free is actually in rswitch_tx_free(), which is inlined in\nrswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the\nsame pointer, the skb is first freed using dev_kfree_skb_any(), then the\nvalue in skb->len is used to update the interface statistics.\n\nLet's move around the instructions to use skb->len before the skb is\nfreed.\n\nThis bug is trivial to reproduce using KFENCE. It will trigger a splat\nevery few packets. A simple ARP request or ICMP echo request is enough."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: rswitch: Evite el use after free en rswitch_poll() El use after free est\u00e1 en realidad en rswitch_tx_free(), que est\u00e1 incluido en rswitch_poll(). Dado que `skb` y `gq->skbs[gq->dirty]` son de hecho el mismo puntero, el skb primero se libera usando dev_kfree_skb_any(), luego el valor en skb->len se usa para actualizar las estad\u00edsticas de la interfaz. Avancemos por las instrucciones para usar skb->len antes de liberar el skb. Este error es trivial de reproducir usando KFENCE. Activar\u00e1 un sonido cada pocos paquetes. Una simple solicitud ARP o una solicitud de eco ICMP es suficiente."}], "lastModified": "2024-07-30T13:32:45.943", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}