In the Linux kernel, the following vulnerability has been resolved:
netfilter: bpf: must hold reference on net namespace
BUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0
Read of size 8 at addr ffff8880106fe400 by task repro/72=
bpf_nf_link_release+0xda/0x1e0
bpf_link_free+0x139/0x2d0
bpf_link_release+0x68/0x80
__fput+0x414/0xb60
Eric says:
It seems that bpf was able to defer the __nf_unregister_net_hook()
after exit()/close() time.
Perhaps a netns reference is missing, because the netns has been
dismantled/freed already.
bpf_nf_link_attach() does :
link->net = net;
But I do not see a reference being taken on net.
Add such a reference and release it after hook unreg.
Note that I was unable to get syzbot reproducer to work, so I
do not know if this resolves this splat.
CVE ID: CVE-2024-50130
CVSS Base Severity: HIGH
CVSS Base Score: 7.8
Vendor: Linux, Linux
Product: Linux, Linux
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 9.92% (scored less or equal to compared to others)
EPSS Date: 2025-04-04 (when was this score calculated)
SSVC Exploitation: none
SSVC Technical Impact: total
SSVC Automatable: false