CVE-2024-26865

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
17/04/2024
Last modified:
07/01/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rds: tcp: Fix use-after-free of net in reqsk_timer_handler().<br /> <br /> syzkaller reported a warning of netns tracker [0] followed by KASAN<br /> splat [1] and another ref tracker warning [1].<br /> <br /> syzkaller could not find a repro, but in the log, the only suspicious<br /> sequence was as follows:<br /> <br /> 18:26:22 executing program 1:<br /> r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)<br /> ...<br /> connect$inet6(r0, &amp;(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async)<br /> <br /> The notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT.<br /> <br /> So, the scenario would be:<br /> <br /> 1. unshare(CLONE_NEWNET) creates a per netns tcp listener in<br /> rds_tcp_listen_init().<br /> 2. syz-executor connect()s to it and creates a reqsk.<br /> 3. syz-executor exit()s immediately.<br /> 4. netns is dismantled. [0]<br /> 5. reqsk timer is fired, and UAF happens while freeing reqsk. [1]<br /> 6. listener is freed after RCU grace period. [2]<br /> <br /> Basically, reqsk assumes that the listener guarantees netns safety<br /> until all reqsk timers are expired by holding the listener&amp;#39;s refcount.<br /> However, this was not the case for kernel sockets.<br /> <br /> Commit 740ea3c4a0b2 ("tcp: Clean up kernel listener&amp;#39;s reqsk in<br /> inet_twsk_purge()") fixed this issue only for per-netns ehash.<br /> <br /> Let&amp;#39;s apply the same fix for the global ehash.<br /> <br /> [0]:<br /> ref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at<br /> sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146)<br /> inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119)<br /> __sock_create (net/socket.c:1572)<br /> rds_tcp_listen_init (net/rds/tcp_listen.c:279)<br /> rds_tcp_init_net (net/rds/tcp.c:577)<br /> ops_init (net/core/net_namespace.c:137)<br /> setup_net (net/core/net_namespace.c:340)<br /> copy_net_ns (net/core/net_namespace.c:497)<br /> create_new_namespaces (kernel/nsproxy.c:110)<br /> unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4))<br /> ksys_unshare (kernel/fork.c:3429)<br /> __x64_sys_unshare (kernel/fork.c:3496)<br /> do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)<br /> ...<br /> WARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)<br /> <br /> [1]:<br /> BUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)<br /> Read of size 8 at addr ffff88801b370400 by task swapper/0/0<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))<br /> print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)<br /> kasan_report (mm/kasan/report.c:603)<br /> inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)<br /> reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092)<br /> call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)<br /> __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038)<br /> run_timer_softirq (kernel/time/timer.c:2053)<br /> __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)<br /> irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)<br /> sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))<br /> <br /> <br /> Allocated by task 258 on cpu 0 at 83.612050s:<br /> kasan_save_stack (mm/kasan/common.c:48)<br /> kasan_save_track (mm/kasan/common.c:68)<br /> __kasan_slab_alloc (mm/kasan/common.c:343)<br /> kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867)<br /> copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480)<br /> create_new_namespaces (kernel/nsproxy.c:110)<br /> unshare_nsproxy_name<br /> ---truncated---

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.3 (including) 6.1.83 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.23 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.7.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.8 (including) 6.8.2 (excluding)