CVE-2024-41041

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().<br /> <br /> syzkaller triggered the warning [0] in udp_v4_early_demux().<br /> <br /> In udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount<br /> of the looked-up sk and use sock_pfree() as skb-&gt;destructor, so we check<br /> SOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace<br /> period.<br /> <br /> Currently, SOCK_RCU_FREE is flagged for a bound socket after being put<br /> into the hash table. Moreover, the SOCK_RCU_FREE check is done too early<br /> in udp_v[46]_early_demux() and sk_lookup(), so there could be a small race<br /> window:<br /> <br /> CPU1 CPU2<br /> ---- ----<br /> udp_v4_early_demux() udp_lib_get_port()<br /> | |- hlist_add_head_rcu()<br /> |- sk = __udp4_lib_demux_lookup() |<br /> |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));<br /> `- sock_set_flag(sk, SOCK_RCU_FREE)<br /> <br /> We had the same bug in TCP and fixed it in commit 871019b22d1b ("net:<br /> set SOCK_RCU_FREE before inserting socket into hashtable").<br /> <br /> Let&amp;#39;s apply the same fix for UDP.<br /> <br /> [0]:<br /> WARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599<br /> Modules linked in:<br /> CPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599<br /> Code: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52<br /> RSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c<br /> RDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001<br /> RBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680<br /> R13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e<br /> FS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349<br /> ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447<br /> NF_HOOK include/linux/netfilter.h:314 [inline]<br /> NF_HOOK include/linux/netfilter.h:308 [inline]<br /> ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569<br /> __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624<br /> __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738<br /> netif_receive_skb_internal net/core/dev.c:5824 [inline]<br /> netif_receive_skb+0x271/0x300 net/core/dev.c:5884<br /> tun_rx_batched drivers/net/tun.c:1549 [inline]<br /> tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002<br /> tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048<br /> new_sync_write fs/read_write.c:497 [inline]<br /> vfs_write+0x76f/0x8d0 fs/read_write.c:590<br /> ksys_write+0xbf/0x190 fs/read_write.c:643<br /> __do_sys_write fs/read_write.c:655 [inline]<br /> __se_sys_write fs/read_write.c:652 [inline]<br /> __x64_sys_write+0x41/0x50 fs/read_write.c:652<br /> x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> RIP: 0033:0x7fc44a68bc1f<br /> Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48<br /> RSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001<br /> RAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f<br /> R<br /> ---truncated---