| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024122737-CVE-2024-56642-71ee@gregkh>
Date: Fri, 27 Dec 2024 16:02:43 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer().
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
tipc: Fix use-after-free of kernel socket in cleanup_bearer().
syzkaller reported a use-after-free of UDP kernel socket
in cleanup_bearer() without repro. [0][1]
When bearer_disable() calls tipc_udp_disable(), cleanup
of the UDP kernel socket is deferred by work calling
cleanup_bearer().
tipc_net_stop() waits for such works to finish by checking
tipc_net(net)->wq_count. However, the work decrements the
count too early before releasing the kernel socket,
unblocking cleanup_net() and resulting in use-after-free.
Let's move the decrement after releasing the socket in
cleanup_bearer().
[0]:
ref_tracker: net notrefcnt@...000009b3d1faf has 1/1 users at
sk_alloc+0x438/0x608
inet_create+0x4c8/0xcb0
__sock_create+0x350/0x6b8
sock_create_kern+0x58/0x78
udp_sock_create4+0x68/0x398
udp_sock_create+0x88/0xc8
tipc_udp_enable+0x5e8/0x848
__tipc_nl_bearer_enable+0x84c/0xed8
tipc_nl_bearer_enable+0x38/0x60
genl_family_rcv_msg_doit+0x170/0x248
genl_rcv_msg+0x400/0x5b0
netlink_rcv_skb+0x1dc/0x398
genl_rcv+0x44/0x68
netlink_unicast+0x678/0x8b0
netlink_sendmsg+0x5e4/0x898
____sys_sendmsg+0x500/0x830
[1]:
BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline]
BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979
udp_hashslot include/net/udp.h:85 [inline]
udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979
sk_common_release+0xaf/0x3f0 net/core/sock.c:3820
inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437
inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489
__sock_release net/socket.c:658 [inline]
sock_release+0xa0/0x210 net/socket.c:686
cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310
worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391
kthread+0x531/0x6b0 kernel/kthread.c:389
ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
Uninit was created at:
slab_free_hook mm/slub.c:2269 [inline]
slab_free mm/slub.c:4580 [inline]
kmem_cache_free+0x207/0xc40 mm/slub.c:4682
net_free net/core/net_namespace.c:454 [inline]
cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310
worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391
kthread+0x531/0x6b0 kernel/kthread.c:389
ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: events cleanup_bearer
The Linux kernel CVE team has assigned CVE-2024-56642 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 5.4.287 with commit 4e69457f9dfae67435f3ccf29008768eae860415
Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 5.10.231 with commit 650ee9a22d7a2de8999fac2d45983597a0c22359
Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 5.15.174 with commit d2a4894f238551eae178904e7f45af87577074fd
Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 6.1.120 with commit d62d5180c036eeac09f80660edc7a602b369125f
Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 6.6.66 with commit d00d4470bf8c4282617a3a10e76b20a9c7e4cffa
Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 6.12.5 with commit e48b211c4c59062cb6dd6c2c37c51a7cc235a464
Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 6.13-rc2 with commit 6a2fa13312e51a621f652d522d7e2df7066330b6
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-56642
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/tipc/udp_media.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/4e69457f9dfae67435f3ccf29008768eae860415
https://git.kernel.org/stable/c/650ee9a22d7a2de8999fac2d45983597a0c22359
https://git.kernel.org/stable/c/d2a4894f238551eae178904e7f45af87577074fd
https://git.kernel.org/stable/c/d62d5180c036eeac09f80660edc7a602b369125f
https://git.kernel.org/stable/c/d00d4470bf8c4282617a3a10e76b20a9c7e4cffa
https://git.kernel.org/stable/c/e48b211c4c59062cb6dd6c2c37c51a7cc235a464
https://git.kernel.org/stable/c/6a2fa13312e51a621f652d522d7e2df7066330b6
Powered by blists - more mailing lists