{"id":"CVE-2024-49952","summary":"netfilter: nf_tables: prevent nf_skb_duplicated corruption","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prevent nf_skb_duplicated corruption\n\nsyzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write\nper-cpu variable nf_skb_duplicated in an unsafe way [1].\n\nDisabling preemption as hinted by the splat is not enough,\nwe have to disable soft interrupts as well.\n\n[1]\nBUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316\n caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\nCPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:93 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n  check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49\n  nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\n  nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30\n  expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n  nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288\n  nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n  nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\n  nf_hook+0x2c4/0x450 include/linux/netfilter.h:269\n  NF_HOOK_COND include/linux/netfilter.h:302 [inline]\n  ip_output+0x185/0x230 net/ipv4/ip_output.c:433\n  ip_local_out net/ipv4/ip_output.c:129 [inline]\n  ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495\n  udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981\n  udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n  ___sys_sendmsg net/socket.c:2651 [inline]\n  __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737\n  __do_sys_sendmmsg net/socket.c:2766 [inline]\n  __se_sys_sendmmsg net/socket.c:2763 [inline]\n  __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f4ce4f7def9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133\nRAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9\nRDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006\nRBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68\n \u003c/TASK\u003e","modified":"2026-04-16T04:35:23.799632718Z","published":"2024-10-21T18:02:07.718Z","related":["SUSE-SU-2024:4314-1","SUSE-SU-2024:4316-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4367-1","SUSE-SU-2025:0035-1","SUSE-SU-2025:0201-1","SUSE-SU-2025:0201-2","SUSE-SU-2025:0229-1","SUSE-SU-2025:0289-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49952.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/38e3fd0c4a2616052eb3c8f4e6f32d1ff47cd663"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4e3542f40f3a94efa59ea328e307c50601ed7065"},{"type":"WEB","url":"https://git.kernel.org/stable/c/50067d8b3f48e4cd4c9e817d3e9a5b5ff3507ca7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/531754952f5dfc4b141523088147071d6e6112c4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/752e1924604254f1708f3e3700283a86ebdd325d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/92ceba94de6fb4cee2bf40b485979c342f44a492"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b40b027a0c0cc1cb9471a13f9730bb2fff12a15b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c0add6ed2cf1c4733cd489efc61faeccd3433b41"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f839c5cd348201fec440d987cbca9b979bdb4fa7"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49952.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49952"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d877f07112f1e5a247c6b585c971a93895c9f738"},{"fixed":"50067d8b3f48e4cd4c9e817d3e9a5b5ff3507ca7"},{"fixed":"c0add6ed2cf1c4733cd489efc61faeccd3433b41"},{"fixed":"531754952f5dfc4b141523088147071d6e6112c4"},{"fixed":"38e3fd0c4a2616052eb3c8f4e6f32d1ff47cd663"},{"fixed":"b40b027a0c0cc1cb9471a13f9730bb2fff12a15b"},{"fixed":"4e3542f40f3a94efa59ea328e307c50601ed7065"},{"fixed":"f839c5cd348201fec440d987cbca9b979bdb4fa7"},{"fixed":"752e1924604254f1708f3e3700283a86ebdd325d"},{"fixed":"92ceba94de6fb4cee2bf40b485979c342f44a492"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49952.json"}}],"schema_version":"1.7.5"}