CVE-2024-26624

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
06/03/2024
Last modified:
06/03/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> af_unix: fix lockdep positive in sk_diag_dump_icons()<br /> <br /> syzbot reported a lockdep splat [1].<br /> <br /> Blamed commit hinted about the possible lockdep<br /> violation, and code used unix_state_lock_nested()<br /> in an attempt to silence lockdep.<br /> <br /> It is not sufficient, because unix_state_lock_nested()<br /> is already used from unix_state_double_lock().<br /> <br /> We need to use a separate subclass.<br /> <br /> This patch adds a distinct enumeration to make things<br /> more explicit.<br /> <br /> Also use swap() in unix_state_double_lock() as a clean up.<br /> <br /> v2: add a missing inline keyword to unix_state_lock_nested()<br /> <br /> [1]<br /> WARNING: possible circular locking dependency detected<br /> 6.8.0-rc1-syzkaller-00356-g8a696a29c690 #0 Not tainted<br /> <br /> syz-executor.1/2542 is trying to acquire lock:<br /> ffff88808b5df9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863<br /> <br /> but task is already holding lock:<br /> ffff88808b5dfe70 (&amp;u-&gt;lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200 net/unix/af_unix.c:2089<br /> <br /> which lock already depends on the new lock.<br /> <br /> the existing dependency chain (in reverse order) is:<br /> <br /> -&gt; #1 (&amp;u-&gt;lock/1){+.+.}-{2:2}:<br /> lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754<br /> _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378<br /> sk_diag_dump_icons net/unix/diag.c:87 [inline]<br /> sk_diag_fill+0x6ea/0xfe0 net/unix/diag.c:157<br /> sk_diag_dump net/unix/diag.c:196 [inline]<br /> unix_diag_dump+0x3e9/0x630 net/unix/diag.c:220<br /> netlink_dump+0x5c1/0xcd0 net/netlink/af_netlink.c:2264<br /> __netlink_dump_start+0x5d7/0x780 net/netlink/af_netlink.c:2370<br /> netlink_dump_start include/linux/netlink.h:338 [inline]<br /> unix_diag_handler_dump+0x1c3/0x8f0 net/unix/diag.c:319<br /> sock_diag_rcv_msg+0xe3/0x400<br /> netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2543<br /> sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]<br /> netlink_unicast+0x7e6/0x980 net/netlink/af_netlink.c:1367<br /> netlink_sendmsg+0xa37/0xd70 net/netlink/af_netlink.c:1908<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg net/socket.c:745 [inline]<br /> sock_write_iter+0x39a/0x520 net/socket.c:1160<br /> call_write_iter include/linux/fs.h:2085 [inline]<br /> new_sync_write fs/read_write.c:497 [inline]<br /> vfs_write+0xa74/0xca0 fs/read_write.c:590<br /> ksys_write+0x1a0/0x2c0 fs/read_write.c:643<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> -&gt; #0 (rlock-AF_UNIX){+.+.}-{2:2}:<br /> check_prev_add kernel/locking/lockdep.c:3134 [inline]<br /> check_prevs_add kernel/locking/lockdep.c:3253 [inline]<br /> validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869<br /> __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137<br /> lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754<br /> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]<br /> _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162<br /> skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863<br /> unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg net/socket.c:745 [inline]<br /> ____sys_sendmsg+0x592/0x890 net/socket.c:2584<br /> ___sys_sendmsg net/socket.c:2638 [inline]<br /> __sys_sendmmsg+0x3b2/0x730 net/socket.c:2724<br /> __do_sys_sendmmsg net/socket.c:2753 [inline]<br /> __se_sys_sendmmsg net/socket.c:2750 [inline]<br /> __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> other info that might help us debug this:<br /> <br /> Possible unsafe locking scenario:<br /> <br /> CPU0 <br /> ---truncated---

Impact