CVE-2024-26750
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/04/2024
Last modified:
18/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
af_unix: Drop oob_skb ref before purging queue in GC.<br />
<br />
syzbot reported another task hung in __unix_gc(). [0]<br />
<br />
The current while loop assumes that all of the left candidates<br />
have oob_skb and calling kfree_skb(oob_skb) releases the remaining<br />
candidates.<br />
<br />
However, I missed a case that oob_skb has self-referencing fd and<br />
another fd and the latter sk is placed before the former in the<br />
candidate list. Then, the while loop never proceeds, resulting<br />
the task hung.<br />
<br />
__unix_gc() has the same loop just before purging the collected skb,<br />
so we can call kfree_skb(oob_skb) there and let __skb_queue_purge()<br />
release all inflight sockets.<br />
<br />
[0]:<br />
Sending NMI from CPU 0 to CPUs 1:<br />
NMI backtrace for cpu 1<br />
CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024<br />
Workqueue: events_unbound __unix_gc<br />
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200<br />
Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70<br />
RSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287<br />
RAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80<br />
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000<br />
RBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84<br />
R10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee<br />
R13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840<br />
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
Call Trace:<br />
<br />
<br />
<br />
__unix_gc+0xe69/0xf40 net/unix/garbage.c:343<br />
process_one_work kernel/workqueue.c:2633 [inline]<br />
process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706<br />
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787<br />
kthread+0x2ef/0x390 kernel/kthread.c:388<br />
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br />
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242<br />
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.149 (including) | 5.15.151 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/43ba9e331559a30000c862eea313248707afa787
- https://git.kernel.org/stable/c/6c480d0f131862645d172ca9e25dc152b1a5c3a6
- https://git.kernel.org/stable/c/aa82ac51d63328714645c827775d64dbfd9941f3
- https://git.kernel.org/stable/c/c4c795b21dd23d9514ae1c6646c3fb2c78b5be60
- https://git.kernel.org/stable/c/e9eac260369d0cf57ea53df95427125725507a0d
- https://git.kernel.org/stable/c/43ba9e331559a30000c862eea313248707afa787
- https://git.kernel.org/stable/c/6c480d0f131862645d172ca9e25dc152b1a5c3a6
- https://git.kernel.org/stable/c/aa82ac51d63328714645c827775d64dbfd9941f3
- https://git.kernel.org/stable/c/c4c795b21dd23d9514ae1c6646c3fb2c78b5be60
- https://git.kernel.org/stable/c/e9eac260369d0cf57ea53df95427125725507a0d