lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2024122737-CVE-2024-56643-8470@gregkh>
Date: Fri, 27 Dec 2024 16:02:44 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-56643: dccp: Fix memory leak in dccp_feat_change_recv

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

dccp: Fix memory leak in dccp_feat_change_recv

If dccp_feat_push_confirm() fails after new value for SP feature was accepted
without reconciliation ('entry == NULL' branch), memory allocated for that value
with dccp_feat_clone_sp_val() is never freed.

Here is the kmemleak stack for this:

unreferenced object 0xffff88801d4ab488 (size 8):
  comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s)
  hex dump (first 8 bytes):
    01 b4 4a 1d 80 88 ff ff                          ..J.....
  backtrace:
    [<00000000db7cabfe>] kmemdup+0x23/0x50 mm/util.c:128
    [<0000000019b38405>] kmemdup include/linux/string.h:465 [inline]
    [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline]
    [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline]
    [<0000000019b38405>] dccp_feat_change_recv net/dccp/feat.c:1145 [inline]
    [<0000000019b38405>] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416
    [<00000000b1f6d94a>] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125
    [<0000000030d7b621>] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650
    [<000000001f74c72e>] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688
    [<00000000a6c24128>] sk_backlog_rcv include/net/sock.h:1041 [inline]
    [<00000000a6c24128>] __release_sock+0x139/0x3b0 net/core/sock.c:2570
    [<00000000cf1f3a53>] release_sock+0x54/0x1b0 net/core/sock.c:3111
    [<000000008422fa23>] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline]
    [<000000008422fa23>] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696
    [<0000000015b6f64d>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735
    [<0000000010122488>] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865
    [<00000000b4b70023>] __sys_connect+0x165/0x1a0 net/socket.c:1882
    [<00000000f4cb3815>] __do_sys_connect net/socket.c:1892 [inline]
    [<00000000f4cb3815>] __se_sys_connect net/socket.c:1889 [inline]
    [<00000000f4cb3815>] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889
    [<00000000e7b1e839>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
    [<0000000055e91434>] entry_SYSCALL_64_after_hwframe+0x67/0xd1

Clean up the allocated memory in case of dccp_feat_push_confirm() failure
and bail out with an error reset code.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

The Linux kernel CVE team has assigned CVE-2024-56643 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 5.4.287 with commit 623be080ab3c13d71570bd32f7202a8efa8e2252
	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 5.10.231 with commit c99507fff94b926fc92279c92d80f229c91cb85d
	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 5.15.174 with commit bc3d4423def1a9412a0ae454cb4477089ab79276
	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 6.1.120 with commit 6ff67909ee2ffad911e3122616df41dee23ff4f6
	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 6.6.66 with commit d3ec686a369fae5034303061f003cd3f94ddfd23
	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 6.12.5 with commit 9ee68b0f23706a77f53c832457b9384178b76421
	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 6.13-rc2 with commit 22be4727a8f898442066bcac34f8a1ad0bc72e14

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56643
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/dccp/feat.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/623be080ab3c13d71570bd32f7202a8efa8e2252
	https://git.kernel.org/stable/c/c99507fff94b926fc92279c92d80f229c91cb85d
	https://git.kernel.org/stable/c/bc3d4423def1a9412a0ae454cb4477089ab79276
	https://git.kernel.org/stable/c/6ff67909ee2ffad911e3122616df41dee23ff4f6
	https://git.kernel.org/stable/c/d3ec686a369fae5034303061f003cd3f94ddfd23
	https://git.kernel.org/stable/c/9ee68b0f23706a77f53c832457b9384178b76421
	https://git.kernel.org/stable/c/22be4727a8f898442066bcac34f8a1ad0bc72e14

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ