AI Score
Confidence
High
EPSS
Percentile
9.9%
SSVC
Exploitation
none
Automatable
no
Technical Impact
total
In the Linux kernel, the following vulnerability has been resolved:
aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
This patch is against CVE-2023-6270. The description of cve is:
A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
struct net_device
, and a use-after-free can be triggered by racing
between the free on the struct and the access through the skbtxq
global queue. This could lead to a denial of service condition or
potential code execution.
In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
code is finished. But the net_device ifp will still be used in
later tx()->dev_queue_xmit() in kthread. Which means that the
dev_put(ifp) should NOT be called in the success path of skb
initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
use-after-free because the net_device is freed.
This patch removed the dev_put(ifp) in the success path in
aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
[
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "ad80c34944d7",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "1a54aa506b3b",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "faf0b4c5e00b",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "7dd09fa80b07",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "74ca3ef68d2f",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "eb48680b0255",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "079cba4f4e30",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "a16fbb800646",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "f98364e92662",
"versionType": "git"
}
],
"programFiles": [
"drivers/block/aoe/aoecmd.c",
"drivers/block/aoe/aoenet.c"
],
"defaultStatus": "unaffected"
},
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"status": "unaffected",
"version": "0",
"lessThan": "2.6.22",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "4.19.311",
"versionType": "custom",
"lessThanOrEqual": "4.19.*"
},
{
"status": "unaffected",
"version": "5.4.273",
"versionType": "custom",
"lessThanOrEqual": "5.4.*"
},
{
"status": "unaffected",
"version": "5.10.214",
"versionType": "custom",
"lessThanOrEqual": "5.10.*"
},
{
"status": "unaffected",
"version": "5.15.153",
"versionType": "custom",
"lessThanOrEqual": "5.15.*"
},
{
"status": "unaffected",
"version": "6.1.83",
"versionType": "custom",
"lessThanOrEqual": "6.1.*"
},
{
"status": "unaffected",
"version": "6.6.23",
"versionType": "custom",
"lessThanOrEqual": "6.6.*"
},
{
"status": "unaffected",
"version": "6.7.11",
"versionType": "custom",
"lessThanOrEqual": "6.7.*"
},
{
"status": "unaffected",
"version": "6.8.2",
"versionType": "custom",
"lessThanOrEqual": "6.8.*"
},
{
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
],
"programFiles": [
"drivers/block/aoe/aoecmd.c",
"drivers/block/aoe/aoenet.c"
],
"defaultStatus": "affected"
}
]
[
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:2.6.22:-:*:*:*:*:*:*"
],
"vendor": "linux",
"product": "linux_kernel",
"versions": [
{
"status": "affected",
"version": "2.6.22"
}
],
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"vendor": "linux",
"product": "linux_kernel",
"versions": [
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "ad80c34944d7",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "1a54aa506b3b",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "faf0b4c5e00b",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "7dd09fa80b07",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "74ca3ef68d2f",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "eb48680b0255",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "079cba4f4e30",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "a16fbb800646",
"versionType": "git"
},
{
"status": "affected",
"version": "7562f876cd93",
"lessThan": "f98364e92662",
"versionType": "git"
}
],
"defaultStatus": "unaffected"
}
]
git.kernel.org/stable/c/079cba4f4e307c69878226fdf5228c20aa1c969c
git.kernel.org/stable/c/1a54aa506b3b2f31496731039e49778f54eee881
git.kernel.org/stable/c/74ca3ef68d2f449bc848c0a814cefc487bf755fa
git.kernel.org/stable/c/7dd09fa80b0765ce68bfae92f4e2f395ccf0fba4
git.kernel.org/stable/c/a16fbb80064634b254520a46395e36b87ca4731e
git.kernel.org/stable/c/ad80c34944d7175fa1f5c7a55066020002921a99
git.kernel.org/stable/c/eb48680b0255a9e8a9bdc93d6a55b11c31262e62
git.kernel.org/stable/c/f98364e926626c678fb4b9004b75cacf92ff0662
git.kernel.org/stable/c/faf0b4c5e00bb680e8e43ac936df24d3f48c8e65
lists.debian.org/debian-lts-announce/2024/06/msg00017.html
lists.debian.org/debian-lts-announce/2024/06/msg00020.html