CVE-2024-26865
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
17/04/2024
Last modified:
07/01/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
rds: tcp: Fix use-after-free of net in reqsk_timer_handler().<br />
<br />
syzkaller reported a warning of netns tracker [0] followed by KASAN<br />
splat [1] and another ref tracker warning [1].<br />
<br />
syzkaller could not find a repro, but in the log, the only suspicious<br />
sequence was as follows:<br />
<br />
18:26:22 executing program 1:<br />
r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)<br />
...<br />
connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async)<br />
<br />
The notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT.<br />
<br />
So, the scenario would be:<br />
<br />
1. unshare(CLONE_NEWNET) creates a per netns tcp listener in<br />
rds_tcp_listen_init().<br />
2. syz-executor connect()s to it and creates a reqsk.<br />
3. syz-executor exit()s immediately.<br />
4. netns is dismantled. [0]<br />
5. reqsk timer is fired, and UAF happens while freeing reqsk. [1]<br />
6. listener is freed after RCU grace period. [2]<br />
<br />
Basically, reqsk assumes that the listener guarantees netns safety<br />
until all reqsk timers are expired by holding the listener&#39;s refcount.<br />
However, this was not the case for kernel sockets.<br />
<br />
Commit 740ea3c4a0b2 ("tcp: Clean up kernel listener&#39;s reqsk in<br />
inet_twsk_purge()") fixed this issue only for per-netns ehash.<br />
<br />
Let&#39;s apply the same fix for the global ehash.<br />
<br />
[0]:<br />
ref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at<br />
sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146)<br />
inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119)<br />
__sock_create (net/socket.c:1572)<br />
rds_tcp_listen_init (net/rds/tcp_listen.c:279)<br />
rds_tcp_init_net (net/rds/tcp.c:577)<br />
ops_init (net/core/net_namespace.c:137)<br />
setup_net (net/core/net_namespace.c:340)<br />
copy_net_ns (net/core/net_namespace.c:497)<br />
create_new_namespaces (kernel/nsproxy.c:110)<br />
unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4))<br />
ksys_unshare (kernel/fork.c:3429)<br />
__x64_sys_unshare (kernel/fork.c:3496)<br />
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)<br />
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)<br />
...<br />
WARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)<br />
<br />
[1]:<br />
BUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)<br />
Read of size 8 at addr ffff88801b370400 by task swapper/0/0<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br />
Call Trace:<br />
<br />
dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))<br />
print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)<br />
kasan_report (mm/kasan/report.c:603)<br />
inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)<br />
reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092)<br />
call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)<br />
__run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038)<br />
run_timer_softirq (kernel/time/timer.c:2053)<br />
__do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)<br />
irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)<br />
sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))<br />
<br />
<br />
Allocated by task 258 on cpu 0 at 83.612050s:<br />
kasan_save_stack (mm/kasan/common.c:48)<br />
kasan_save_track (mm/kasan/common.c:68)<br />
__kasan_slab_alloc (mm/kasan/common.c:343)<br />
kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867)<br />
copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480)<br />
create_new_namespaces (kernel/nsproxy.c:110)<br />
unshare_nsproxy_name<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.3 (including) | 6.1.83 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.23 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.7.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.8 (including) | 6.8.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1e9fd5cf8d7f487332560f7bb312fc7d416817f3
- https://git.kernel.org/stable/c/2a750d6a5b365265dbda33330a6188547ddb5c24
- https://git.kernel.org/stable/c/9905a157048f441f1412e7bd13372f4a971d75c6
- https://git.kernel.org/stable/c/9ceac040506a05a30b104b2aa2e9146810704500
- https://git.kernel.org/stable/c/f901ee07853ce97e9f1104c7c898fbbe447f0279
- https://git.kernel.org/stable/c/1e9fd5cf8d7f487332560f7bb312fc7d416817f3
- https://git.kernel.org/stable/c/2a750d6a5b365265dbda33330a6188547ddb5c24
- https://git.kernel.org/stable/c/9905a157048f441f1412e7bd13372f4a971d75c6
- https://git.kernel.org/stable/c/9ceac040506a05a30b104b2aa2e9146810704500
- https://git.kernel.org/stable/c/f901ee07853ce97e9f1104c7c898fbbe447f0279