lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025011517-CVE-2024-57903-fd2a@gregkh>
Date: Wed, 15 Jan 2025 14:06:26 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-57903: net: restrict SO_REUSEPORT to inet sockets

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

net: restrict SO_REUSEPORT to inet sockets

After blamed commit, crypto sockets could accidentally be destroyed
from RCU call back, as spotted by zyzbot [1].

Trying to acquire a mutex in RCU callback is not allowed.

Restrict SO_REUSEPORT socket option to inet sockets.

v1 of this patch supported TCP, UDP and SCTP sockets,
but fcnal-test.sh test needed RAW and ICMP support.

[1]
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:562
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 24, name: ksoftirqd/1
preempt_count: 100, expected: 0
RCU nest depth: 0, expected: 0
1 lock held by ksoftirqd/1/24:
  #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
  #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2561 [inline]
  #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_core+0xa37/0x17a0 kernel/rcu/tree.c:2823
Preemption disabled at:
 [<ffffffff8161c8c8>] softirq_handle_begin kernel/softirq.c:402 [inline]
 [<ffffffff8161c8c8>] handle_softirqs+0x128/0x9b0 kernel/softirq.c:537
CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3-syzkaller-00174-ga024e377efed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
  __might_resched+0x5d4/0x780 kernel/sched/core.c:8758
  __mutex_lock_common kernel/locking/mutex.c:562 [inline]
  __mutex_lock+0x131/0xee0 kernel/locking/mutex.c:735
  crypto_put_default_null_skcipher+0x18/0x70 crypto/crypto_null.c:179
  aead_release+0x3d/0x50 crypto/algif_aead.c:489
  alg_do_release crypto/af_alg.c:118 [inline]
  alg_sock_destruct+0x86/0xc0 crypto/af_alg.c:502
  __sk_destruct+0x58/0x5f0 net/core/sock.c:2260
  rcu_do_batch kernel/rcu/tree.c:2567 [inline]
  rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823
  handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
  run_ksoftirqd+0xca/0x130 kernel/softirq.c:950
  smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
  kthread+0x2f0/0x390 kernel/kthread.c:389
  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The Linux kernel CVE team has assigned CVE-2024-57903 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.4 with commit 8c7138b33e5c690c308b2a7085f6313fdcb3f616 and fixed in 5.15.176 with commit 579cfa595af1e00ccc9c3a849a4add6bba8b4bad
	Issue introduced in 5.4 with commit 8c7138b33e5c690c308b2a7085f6313fdcb3f616 and fixed in 6.1.124 with commit ad2ad4cd11af9d63187cd074314b71b7cf8a2a59
	Issue introduced in 5.4 with commit 8c7138b33e5c690c308b2a7085f6313fdcb3f616 and fixed in 6.6.70 with commit ad91a2dacbf8c26a446658cdd55e8324dfeff1e7
	Issue introduced in 5.4 with commit 8c7138b33e5c690c308b2a7085f6313fdcb3f616 and fixed in 6.12.9 with commit 3257813a3ae7462ac5cde04e120806f0c0776850
	Issue introduced in 5.4 with commit 8c7138b33e5c690c308b2a7085f6313fdcb3f616 and fixed in 6.13-rc6 with commit 5b0af621c3f6ef9261cf6067812f2fd9943acb4b
	Issue introduced in 4.9.196 with commit 62241d6d9e497ad16372b74d2afa3340128e8e57
	Issue introduced in 4.14.148 with commit 1e24f532c736b3f99f3fe7c4be66414c40df5f02
	Issue introduced in 4.19.78 with commit d5b1db1c7ce4198bbbd51160350bdd446c8ed2ba
	Issue introduced in 5.2.20 with commit 50b26ba8938f1741523ca733aa9a548a12b6edd6
	Issue introduced in 5.3.5 with commit 7e2777fd4816cdf6bff5de9e5221514f36dddfbf

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57903
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/core/sock.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/579cfa595af1e00ccc9c3a849a4add6bba8b4bad
	https://git.kernel.org/stable/c/ad2ad4cd11af9d63187cd074314b71b7cf8a2a59
	https://git.kernel.org/stable/c/ad91a2dacbf8c26a446658cdd55e8324dfeff1e7
	https://git.kernel.org/stable/c/3257813a3ae7462ac5cde04e120806f0c0776850
	https://git.kernel.org/stable/c/5b0af621c3f6ef9261cf6067812f2fd9943acb4b

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ