CVE-2024-26624
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
06/03/2024
Last modified:
06/03/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
af_unix: fix lockdep positive in sk_diag_dump_icons()<br />
<br />
syzbot reported a lockdep splat [1].<br />
<br />
Blamed commit hinted about the possible lockdep<br />
violation, and code used unix_state_lock_nested()<br />
in an attempt to silence lockdep.<br />
<br />
It is not sufficient, because unix_state_lock_nested()<br />
is already used from unix_state_double_lock().<br />
<br />
We need to use a separate subclass.<br />
<br />
This patch adds a distinct enumeration to make things<br />
more explicit.<br />
<br />
Also use swap() in unix_state_double_lock() as a clean up.<br />
<br />
v2: add a missing inline keyword to unix_state_lock_nested()<br />
<br />
[1]<br />
WARNING: possible circular locking dependency detected<br />
6.8.0-rc1-syzkaller-00356-g8a696a29c690 #0 Not tainted<br />
<br />
syz-executor.1/2542 is trying to acquire lock:<br />
ffff88808b5df9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863<br />
<br />
but task is already holding lock:<br />
ffff88808b5dfe70 (&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200 net/unix/af_unix.c:2089<br />
<br />
which lock already depends on the new lock.<br />
<br />
the existing dependency chain (in reverse order) is:<br />
<br />
-> #1 (&u->lock/1){+.+.}-{2:2}:<br />
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754<br />
_raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378<br />
sk_diag_dump_icons net/unix/diag.c:87 [inline]<br />
sk_diag_fill+0x6ea/0xfe0 net/unix/diag.c:157<br />
sk_diag_dump net/unix/diag.c:196 [inline]<br />
unix_diag_dump+0x3e9/0x630 net/unix/diag.c:220<br />
netlink_dump+0x5c1/0xcd0 net/netlink/af_netlink.c:2264<br />
__netlink_dump_start+0x5d7/0x780 net/netlink/af_netlink.c:2370<br />
netlink_dump_start include/linux/netlink.h:338 [inline]<br />
unix_diag_handler_dump+0x1c3/0x8f0 net/unix/diag.c:319<br />
sock_diag_rcv_msg+0xe3/0x400<br />
netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2543<br />
sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280<br />
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]<br />
netlink_unicast+0x7e6/0x980 net/netlink/af_netlink.c:1367<br />
netlink_sendmsg+0xa37/0xd70 net/netlink/af_netlink.c:1908<br />
sock_sendmsg_nosec net/socket.c:730 [inline]<br />
__sock_sendmsg net/socket.c:745 [inline]<br />
sock_write_iter+0x39a/0x520 net/socket.c:1160<br />
call_write_iter include/linux/fs.h:2085 [inline]<br />
new_sync_write fs/read_write.c:497 [inline]<br />
vfs_write+0xa74/0xca0 fs/read_write.c:590<br />
ksys_write+0x1a0/0x2c0 fs/read_write.c:643<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x63/0x6b<br />
<br />
-> #0 (rlock-AF_UNIX){+.+.}-{2:2}:<br />
check_prev_add kernel/locking/lockdep.c:3134 [inline]<br />
check_prevs_add kernel/locking/lockdep.c:3253 [inline]<br />
validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869<br />
__lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137<br />
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754<br />
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]<br />
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162<br />
skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863<br />
unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112<br />
sock_sendmsg_nosec net/socket.c:730 [inline]<br />
__sock_sendmsg net/socket.c:745 [inline]<br />
____sys_sendmsg+0x592/0x890 net/socket.c:2584<br />
___sys_sendmsg net/socket.c:2638 [inline]<br />
__sys_sendmmsg+0x3b2/0x730 net/socket.c:2724<br />
__do_sys_sendmmsg net/socket.c:2753 [inline]<br />
__se_sys_sendmmsg net/socket.c:2750 [inline]<br />
__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x63/0x6b<br />
<br />
other info that might help us debug this:<br />
<br />
Possible unsafe locking scenario:<br />
<br />
CPU0 <br />
---truncated---
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/4d322dce82a1d44f8c83f0f54f95dd1b8dcf46c9
- https://git.kernel.org/stable/c/5e7f3e0381c002cb2abde42f09ad511991a8ebaf
- https://git.kernel.org/stable/c/875f31aaa67e306098befa5e798a049075910fa7
- https://git.kernel.org/stable/c/a2104f43876408b164be5fd58f9b6a3a73b77746
- https://git.kernel.org/stable/c/b169ffde733c5adf01788ae091c377f0eca44806
- https://git.kernel.org/stable/c/c2d272a9a1e8f22ba584589219f6fe1886a3595f
- https://git.kernel.org/stable/c/c8f6b3b864cb876e9ee21666a391c9ee290682ac
- https://git.kernel.org/stable/c/f199018dc762dfa501f6d96a424468a0f3c10d9e