CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-57974: udp: Deal with race between UDP socket address change and rehash

Description

In the Linux kernel, the following vulnerability has been resolved:

udp: Deal with race between UDP socket address change and rehash

If a UDP socket changes its local address while it's receiving
datagrams, as a result of connect(), there is a period during which
a lookup operation might fail to find it, after the address is changed
but before the secondary hash (port and address) and the four-tuple
hash (local and remote ports and addresses) are updated.

Secondary hash chains were introduced by commit 30fff9231fad ("udp:
bind() optimisation") and, as a result, a rehash operation became
needed to make a bound socket reachable again after a connect().

This operation was introduced by commit 719f835853a9 ("udp: add
rehash on connect()") which isn't however a complete fix: the
socket will be found once the rehashing completes, but not while
it's pending.

This is noticeable with a socat(1) server in UDP4-LISTEN mode, and a
client sending datagrams to it. After the server receives the first
datagram (cf. _xioopen_ipdgram_listen()), it issues a connect() to
the address of the sender, in order to set up a directed flow.

Now, if the client, running on a different CPU thread, happens to
send a (subsequent) datagram while the server's socket changes its
address, but is not rehashed yet, this will result in a failed
lookup and a port unreachable error delivered to the client, as
apparent from the following reproducer:

LEN=$(($(cat /proc/sys/net/core/wmem_default) / 4))
dd ...

Classification

CVE ID: CVE-2024-57974

Affected Products

Vendor: Linux, Linux

Product: Linux, Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 3.82% (scored less or equal to compared to others)

EPSS Date: 2025-03-27 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-57974
https://git.kernel.org/stable/c/4f8344fce91c5766d368edb0ad80142eacd805c7
https://git.kernel.org/stable/c/d65d3bf309b2649d27b24efd0d8784da2d81f2a6
https://git.kernel.org/stable/c/a502ea6fa94b1f7be72a24bcf9e3f5f6b7e6e90c

Timeline