[SRU][F/J/N][PATCH 0/1] CVE-2024-56658

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Wed Feb 12 11:43:53 UTC 2025 

[Impact]

net: defer final 'struct net' free in netns dismantle

BUG: KASAN: slab-use-after-free in dst_destroy

Issue is in xfrm6_net_init() and xfrm4_net_init() :

They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops.

But net structure might be freed before all the dst callbacks are
called. So when dst_destroy() calls later :

if (dst->ops->destroy)
    dst->ops->destroy(dst);

dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed.

See a relevant issue fixed in :

ac888d58869b ("net: do not delay dst_entries_add() in dst_release()")

A fix is to queue the 'struct net' to be freed after one
another cleanup_net() round (and existing rcu_barrier())

[Fix]

Oracular: Fixed via upstream stable updates (LP: #2097332)
Noble: Cherry picked from mainline
Jammy: Backported from mainline
Focal: Backported from mainline

[Test case]

Compiled and boot tested.
Tested basic net namespace functionalities:

$ sudo ip netns add client
$ sudo ip netns add server
$ sudo ip link add veth1 type veth peer name veth2
$ sudo ip link set dev veth1 netns server
$ sudo ip link set dev veth2 netns client
$ sudo ip netns exec server ip addr add dev veth1 192.168.99.1/24
$ sudo ip netns exec client ip addr add dev veth2 192.168.99.2/24
$ sudo ip netns exec server ip link set dev veth1 up
$ sudo ip netns exec client ip link set dev veth2 up
$ sudo ip netns exec client ip a
3: veth2 at if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 8a:06:9e:c4:14:d0 brd ff:ff:ff:ff:ff:ff link-netns server
    inet 192.168.99.2/24 scope global veth2
       valid_lft forever preferred_lft forever
$ sudo ip netns exec server ip a
4: veth1 at if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 42:3d:3b:37:38:93 brd ff:ff:ff:ff:ff:ff link-netns client
    inet 192.168.99.1/24 scope global veth1
       valid_lft forever preferred_lft forever
$ sudo ip netns exec server iperf -s &
$ sudo ip netns exec client iperf -c 192.168.99.1
[  1] local 192.168.99.2 port 37994 connected with 192.168.99.1 port 5001 (icwnd/mss/irtt=14/1448/37)
[ ID] Interval       Transfer     Bandwidth
[  1] 0.0000-10.0029 sec  34.1 GBytes  29.3 Gbits/sec
$ sudo ip netns exec server ip link set veth1 netns 1
$ sudo ip netns exec client ip link set veth2 netns 1
$ sudo ip netns delete client
$ sudo ip netns delete server

[Where problems could occur]

The fix affects the network namespace subsystem. An issue with this fix
may lead to incorrect handling of network namespace cleanup and resource
deallocation. A user might experience problems such as unexpected
crashes when deleting network namespaces and lingering network
interfaces that are not properly released. Additionally, network
isolation between namespaces may be compromised. 

Eric Dumazet (1):
  net: defer final 'struct net' free in netns dismantle

 include/net/net_namespace.h |  1 +
 net/core/net_namespace.c    | 21 ++++++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

-- 
2.43.0

More information about the kernel-team mailing list