Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-26625

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
06/03/2024
Last modified:
07/01/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> llc: call sock_orphan() at release time<br /> <br /> syzbot reported an interesting trace [1] caused by a stale sk-&gt;sk_wq<br /> pointer in a closed llc socket.<br /> <br /> In commit ff7b11aa481f ("net: socket: set sock-&gt;sk to NULL after<br /> calling proto_ops::release()") Eric Biggers hinted that some protocols<br /> are missing a sock_orphan(), we need to perform a full audit.<br /> <br /> In net-next, I plan to clear sock-&gt;sk from sock_orphan() and<br /> amend Eric patch to add a warning.<br /> <br /> [1]<br /> BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]<br /> BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]<br /> BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]<br /> BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468<br /> Read of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27<br /> <br /> CPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0xc4/0x620 mm/kasan/report.c:488<br /> kasan_report+0xda/0x110 mm/kasan/report.c:601<br /> list_empty include/linux/list.h:373 [inline]<br /> waitqueue_active include/linux/wait.h:127 [inline]<br /> sock_def_write_space_wfree net/core/sock.c:3384 [inline]<br /> sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468<br /> skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080<br /> skb_release_all net/core/skbuff.c:1092 [inline]<br /> napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404<br /> e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970<br /> e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]<br /> e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801<br /> __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576<br /> napi_poll net/core/dev.c:6645 [inline]<br /> net_rx_action+0x956/0xe90 net/core/dev.c:6778<br /> __do_softirq+0x21a/0x8de kernel/softirq.c:553<br /> run_ksoftirqd kernel/softirq.c:921 [inline]<br /> run_ksoftirqd+0x31/0x60 kernel/softirq.c:913<br /> smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164<br /> kthread+0x2c6/0x3a0 kernel/kthread.c:388<br /> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242<br /> <br /> <br /> Allocated by task 5167:<br /> kasan_save_stack+0x33/0x50 mm/kasan/common.c:47<br /> kasan_save_track+0x14/0x30 mm/kasan/common.c:68<br /> unpoison_slab_object mm/kasan/common.c:314 [inline]<br /> __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340<br /> kasan_slab_alloc include/linux/kasan.h:201 [inline]<br /> slab_post_alloc_hook mm/slub.c:3813 [inline]<br /> slab_alloc_node mm/slub.c:3860 [inline]<br /> kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879<br /> alloc_inode_sb include/linux/fs.h:3019 [inline]<br /> sock_alloc_inode+0x25/0x1c0 net/socket.c:308<br /> alloc_inode+0x5d/0x220 fs/inode.c:260<br /> new_inode_pseudo+0x16/0x80 fs/inode.c:1005<br /> sock_alloc+0x40/0x270 net/socket.c:634<br /> __sock_create+0xbc/0x800 net/socket.c:1535<br /> sock_create net/socket.c:1622 [inline]<br /> __sys_socket_create net/socket.c:1659 [inline]<br /> __sys_socket+0x14c/0x260 net/socket.c:1706<br /> __do_sys_socket net/socket.c:1720 [inline]<br /> __se_sys_socket net/socket.c:1718 [inline]<br /> __x64_sys_socket+0x72/0xb0 net/socket.c:1718<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> Freed by task 0:<br /> kasan_save_stack+0x33/0x50 mm/kasan/common.c:47<br /> kasan_save_track+0x14/0x30 mm/kasan/common.c:68<br /> kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640<br /> poison_slab_object mm/kasan/common.c:241 [inline]<br /> __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257<br /> kasan_slab_free include/linux/kasan.h:184 [inline]<br /> slab_free_hook mm/slub.c:2121 [inlin<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.35 (including) 4.19.307 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.269 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.210 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.149 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.77 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.16 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.7.4 (excluding)
cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools