CVE-2024-36939 in Linuxinformazioni

Riassunto

di VulDB • 19/06/2026

This is a Linux kernel crash (Oops/Panic) trace. Here is a breakdown of the issue:

### **1. Summary** - **Trigger:** A user-space process called `unshare()` (specifically `SYS_unshare`, syscall number `0x110`), likely to create a new network namespace. - **Crash Location:** `rpc_proc_unregister` in `net/sunrpc/stats.c`. - **Root Cause:** A **Use-After-Free (UAF)** or **Race Condition** in the NFS/SunRPC subsystem during network namespace cleanup. The kernel tried to unregister an RPC procedure that had already been freed or was in an inconsistent state.

---

### **2. Call Trace Analysis** ``` rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310 → This is where the crash occurred. nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438 → The NFS network namespace exit function is running. ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170 → General net namespace cleanup. setup_net+0x46c/0x660 net/core/net_namespace.c:372 → Setting up a new network namespace. copy_net_ns+0x244/0x590 net/core/net_namespace.c:505 → Copying the network namespace (part of unshare). create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110 → Creating new namespaces. unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228 → Unsharing namespace proxies. ksys_unshare+0x342/0x760 kernel/fork.c:3322 → System call entry for unshare. __do_sys_unshare kernel/fork.c:3393 [inline]
__se_sys_unshare kernel/fork.c:3391 [inline]
__x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391 → The syscall handler. ```

### **3. Key Observations** - **`rpc_proc_unregister`**: This function is responsible for removing an RPC program from the stats tracking. It likely accesses a global or per-namespace list of RPC procedures. - **`nfs_net_exit`**: This is called when a network namespace is being destroyed. It cleans up NFS-specific resources. - **Race Condition**: The crash suggests that `rpc_proc_unregister` was called on an RPC procedure that was: 1. Already freed. 2. In the process of being freed. 3. Not properly initialized.

This is a classic **UAF (Use-After-Free)** bug in the NFS/SunRPC stats tracking code during namespace teardown.

---

### **4. Likely Cause** The bug is in `net/sunrpc/stats.c` or `fs/nfs/inode.c`. Specifically: - When a network namespace is exiting (`nfs_net_exit`), it iterates over RPC procedures to unregister them. - However, some RPC procedures might have already been freed or are being freed concurrently, leading to a crash when `rpc_proc_unregister` tries to access them.

This could be due to: - Missing synchronization between RPC procedure registration/unregistration and namespace cleanup. - A race between `unshare()` (creating a new namespace) and existing namespace teardown.

---

### **5. Fix/Workaround** #### **For Developers:** 1. **Check `rpc_proc_unregister`**: Ensure it handles NULL pointers or already-freed structures gracefully. 2. **Synchronize Namespace Cleanup**: Ensure that `nfs_net_exit` waits for all RPC procedures to be fully unregistered before freeing them. 3. **Add Reference Counting**: Use `kref` or similar mechanisms to prevent UAF.

#### **For Users:** - **Update Kernel**: This is likely a known bug in older kernels. Update to the latest stable kernel. - **Avoid `unshare()` with NFS**: If possible, avoid using `unshare()` with network namespaces in environments using NFS. - **Disable NFS Stats**: If NFS stats tracking is not needed, consider disabling it to avoid the code path.

---

### **6. Relevant Code Locations** - `net/sunrpc/stats.c:310` (`rpc_proc_unregister`) - `fs/nfs/inode.c:2438` (`nfs_net_exit`)

### **7. Mitigation**

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Fonti

Do you want to use VulDB in your project?

Use the official API to access entries easily!