CVE-2024-40954

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: do not leave a dangling sk pointer, when socket creation fails<br /> <br /> It is possible to trigger a use-after-free by:<br /> * attaching an fentry probe to __sock_release() and the probe calling the<br /> bpf_get_socket_cookie() helper<br /> * running traceroute -I 1.1.1.1 on a freshly booted VM<br /> <br /> A KASAN enabled kernel will log something like below (decoded and stripped):<br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)<br /> Read of size 8 at addr ffff888007110dd8 by task traceroute/299<br /> <br /> CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))<br /> print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)<br /> ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)<br /> kasan_report (mm/kasan/report.c:603)<br /> ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)<br /> kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)<br /> __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)<br /> bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)<br /> bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e<br /> bpf_trampoline_6442506592+0x47/0xaf<br /> __sock_release (net/socket.c:652)<br /> __sock_create (net/socket.c:1601)<br /> ...<br /> Allocated by task 299 on cpu 2 at 78.328492s:<br /> kasan_save_stack (mm/kasan/common.c:48)<br /> kasan_save_track (mm/kasan/common.c:68)<br /> __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)<br /> kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)<br /> sk_prot_alloc (net/core/sock.c:2075)<br /> sk_alloc (net/core/sock.c:2134)<br /> inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)<br /> __sock_create (net/socket.c:1572)<br /> __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)<br /> __x64_sys_socket (net/socket.c:1718)<br /> do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br /> <br /> Freed by task 299 on cpu 2 at 78.328502s:<br /> kasan_save_stack (mm/kasan/common.c:48)<br /> kasan_save_track (mm/kasan/common.c:68)<br /> kasan_save_free_info (mm/kasan/generic.c:582)<br /> poison_slab_object (mm/kasan/common.c:242)<br /> __kasan_slab_free (mm/kasan/common.c:256)<br /> kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)<br /> __sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)<br /> inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)<br /> __sock_create (net/socket.c:1572)<br /> __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)<br /> __x64_sys_socket (net/socket.c:1718)<br /> do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br /> <br /> Fix this by clearing the struct socket reference in sk_common_release() to cover<br /> all protocol families create functions, which may already attached the<br /> reference to the sk object with sock_init_data().