{"id":"CVE-2024-56635","summary":"net: avoid potential UAF in default_operstate()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid potential UAF in default_operstate()\n\nsyzbot reported an UAF in default_operstate() [1]\n\nIssue is a race between device and netns dismantles.\n\nAfter calling __rtnl_unlock() from netdev_run_todo(),\nwe can not assume the netns of each device is still alive.\n\nMake sure the device is not in NETREG_UNREGISTERED state,\nand add an ASSERT_RTNL() before the call to\n__dev_get_by_index().\n\nWe might move this ASSERT_RTNL() in __dev_get_by_index()\nin the future.\n\n[1]\n\nBUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852\nRead of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339\n\nCPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:378 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:489\n  kasan_report+0x143/0x180 mm/kasan/report.c:602\n  __dev_get_by_index+0x5d/0x110 net/core/dev.c:852\n  default_operstate net/core/link_watch.c:51 [inline]\n  rfc2863_policy+0x224/0x300 net/core/link_watch.c:67\n  linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170\n  netdev_run_todo+0x461/0x1000 net/core/dev.c:10894\n  rtnl_unlock net/core/rtnetlink.c:152 [inline]\n  rtnl_net_unlock include/linux/rtnetlink.h:133 [inline]\n  rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520\n  rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541\n  netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n  netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n  netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n  sock_sendmsg_nosec net/socket.c:711 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:726\n  ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n  ___sys_sendmsg net/socket.c:2637 [inline]\n  __sys_sendmsg+0x269/0x350 net/socket.c:2669\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2a3cb80809\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809\nRDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008\nRBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8\n \u003c/TASK\u003e\n\nAllocated by task 5339:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n  kasan_kmalloc include/linux/kasan.h:260 [inline]\n  __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314\n  kmalloc_noprof include/linux/slab.h:901 [inline]\n  kmalloc_array_noprof include/linux/slab.h:945 [inline]\n  netdev_create_hash net/core/dev.c:11870 [inline]\n  netdev_init+0x10c/0x250 net/core/dev.c:11890\n  ops_init+0x31e/0x590 net/core/net_namespace.c:138\n  setup_net+0x287/0x9e0 net/core/net_namespace.c:362\n  copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500\n  create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110\n  unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228\n  ksys_unshare+0x57d/0xa70 kernel/fork.c:3314\n  __do_sys_unshare kernel/fork.c:3385 [inline]\n  __se_sys_unshare kernel/fork.c:3383 [inline]\n  __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x8\n---truncated---","modified":"2026-04-02T12:25:01.007098Z","published":"2024-12-27T15:02:38.213Z","related":["MGASA-2025-0030","MGASA-2025-0032","SUSE-SU-2025:0289-1","SUSE-SU-2025:0428-1","SUSE-SU-2025:0499-1","SUSE-SU-2025:0557-1","SUSE-SU-2025:20165-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20248-1","SUSE-SU-2025:20249-1","USN-7379-2","USN-7380-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56635.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/316183d58319f191e16503bc2dffa156c4442df2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3265aab0736f78bb218200b06b1abb525c316269"},{"type":"WEB","url":"https://git.kernel.org/stable/c/750e51603395e755537da08f745864c93e3ce741"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56635.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56635"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8c55facecd7ade835287298ce325f930d888d8ec"},{"fixed":"3265aab0736f78bb218200b06b1abb525c316269"},{"fixed":"316183d58319f191e16503bc2dffa156c4442df2"},{"fixed":"750e51603395e755537da08f745864c93e3ce741"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56635.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}