{"uuid": "071b232b-6083-4c0a-9429-467f82a2bdb2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-50085", "type": "seen", "source": "https://t.me/cvedetector/9227", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-50085 - Cisco MPTCP Subflow Use-After-Free Vulnerability\", \n \"Content\": \"CVE ID : CVE-2024-50085 \nPublished : Oct. 29, 2024, 1:15 a.m. | 38\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nmptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow \n \nSyzkaller reported this splat: \n \n ================================================================== \n BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 \n Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662 \n \n CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0 \n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 \n Call Trace: \n \n __dump_stack lib/dump_stack.c:94 [inline] \n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 \n print_address_description mm/kasan/report.c:377 [inline] \n print_report+0xc3/0x620 mm/kasan/report.c:488 \n kasan_report+0xd9/0x110 mm/kasan/report.c:601 \n mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 \n mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline] \n mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572 \n mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603 \n genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 \n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] \n genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 \n netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551 \n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 \n netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] \n netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357 \n netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901 \n sock_sendmsg_nosec net/socket.c:729 [inline] \n __sock_sendmsg net/socket.c:744 [inline] \n ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607 \n ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661 \n __sys_sendmsg+0x117/0x1f0 net/socket.c:2690 \n do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] \n __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 \n do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 \n entry_SYSENTER_compat_after_hwframe+0x84/0x8e \n RIP: 0023:0xf7fe4579 \n Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 \n RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172 \n RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140 \n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 \n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 \n R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 \n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 \n \n \n Allocated by task 5387: \n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 \n kasan_save_track+0x14/0x30 mm/kasan/common.c:68 \n poison_kmalloc_redzone mm/kasan/common.c:377 [inline] \n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 \n kmalloc_noprof include/linux/slab.h:878 [inline] \n kzalloc_noprof include/linux/slab.h:1014 [inline] \n subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803 \n subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956 \n __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline] \n tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167 \n mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764 \n __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592 \n mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink.c:642 \n mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline] \n mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943 \n mptcp_worker+0x15a/0x1240 net/mptcp[...]", "creation_timestamp": "2024-10-29T03:03:03.000000Z"}