CVE-2024-44935

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sctp: Fix null-ptr-deref in reuseport_add_sock().<br /> <br /> syzbot reported a null-ptr-deref while accessing sk2-&gt;sk_reuseport_cb in<br /> reuseport_add_sock(). [0]<br /> <br /> The repro first creates a listener with SO_REUSEPORT. Then, it creates<br /> another listener on the same port and concurrently closes the first<br /> listener.<br /> <br /> The second listen() calls reuseport_add_sock() with the first listener as<br /> sk2, where sk2-&gt;sk_reuseport_cb is not expected to be cleared concurrently,<br /> but the close() does clear it by reuseport_detach_sock().<br /> <br /> The problem is SCTP does not properly synchronise reuseport_alloc(),<br /> reuseport_add_sock(), and reuseport_detach_sock().<br /> <br /> The caller of reuseport_alloc() and reuseport_{add,detach}_sock() must<br /> provide synchronisation for sockets that are classified into the same<br /> reuseport group.<br /> <br /> Otherwise, such sockets form multiple identical reuseport groups, and<br /> all groups except one would be silently dead.<br /> <br /> 1. Two sockets call listen() concurrently<br /> 2. No socket in the same group found in sctp_ep_hashtable[]<br /> 3. Two sockets call reuseport_alloc() and form two reuseport groups<br /> 4. Only one group hit first in __sctp_rcv_lookup_endpoint() receives<br /> incoming packets<br /> <br /> Also, the reported null-ptr-deref could occur.<br /> <br /> TCP/UDP guarantees that would not happen by holding the hash bucket lock.<br /> <br /> Let&amp;#39;s apply the locking strategy to __sctp_hash_endpoint() and<br /> __sctp_unhash_endpoint().<br /> <br /> [0]:<br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI<br /> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]<br /> CPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024<br /> RIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350<br /> Code: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14<br /> RSP: 0018:ffffc9000b947c98 EFLAGS: 00010202<br /> RAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000<br /> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012<br /> RBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385<br /> R10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0<br /> R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000<br /> FS: 00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> __sctp_hash_endpoint net/sctp/input.c:762 [inline]<br /> sctp_hash_endpoint+0x52a/0x600 net/sctp/input.c:790<br /> sctp_listen_start net/sctp/socket.c:8570 [inline]<br /> sctp_inet_listen+0x767/0xa20 net/sctp/socket.c:8625<br /> __sys_listen_socket net/socket.c:1883 [inline]<br /> __sys_listen+0x1b7/0x230 net/socket.c:1894<br /> __do_sys_listen net/socket.c:1902 [inline]<br /> __se_sys_listen net/socket.c:1900 [inline]<br /> __x64_sys_listen+0x5a/0x70 net/socket.c:1900<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f24e46039b9<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f24e45b9228 EFLAGS: 00000246 ORIG_RAX: 0000000000000032<br /> RAX: ffffffffffffffda RBX: 00007f24e468e428 RCX: 00007f24e46039b9<br /> RDX: 00007f24e46039b9 RSI: 0000000000000003 RDI: 0000000000000004<br /> RBP: 00007f24e468e420 R08: 00007f24e45b96c0 R09: 00007f24e45b96c0<br /> R10: 00007f24e45b96c0 R11: 0000000000000246 R12: 00007f24e468e42c<br /> R13:<br /> ---truncated---