CVE-2024-50154: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50154 is a use-after-free (UAF) vulnerability discovered in the Linux kernel's TCP subsystem, specifically related to request socket (reqsk) handling. The vulnerability was reported by Martin KaFai Lau and affects Linux kernel versions from 4.1.11 up to versions before 5.15.170, 6.1.115, 6.6.59, and 6.11.6 (NVD).

The vulnerability stems from a race condition in the reqskqueueunlink() function. The issue was introduced by commit 83fccfc3940c which added timerpending() checks to prevent deadlocks. However, this created a race window where if reqskqueueunlink() checks timerpending() just after expiretimers() calls detachtimer(), TCP misses deltimersync() call. This can cause the reqsk timer to continue running and send multiple SYN+ACKs until expiration. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 HIGH with vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

When exploited, this vulnerability can lead to a use-after-free condition when a BPF program attached to tracetcpretransmit_synack attempts to access req->sk after it has been closed. This occurs if req->sk is closed earlier than the timer expiration (default 63s). The vulnerability can potentially lead to system crashes, information leaks, or arbitrary code execution (Kernel Patch).

The vulnerability has been fixed in the Linux kernel by modifying the reqskqueueunlink() function to not use timerpending() and instead passing the caller context to _inetcskreqskqueuedrop(). Users should update to kernel versions 5.15.170, 6.1.115, 6.6.59, 6.11.6 or later to address this vulnerability (Red Hat).