CVE-2024-46771

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: bcm: Remove proc entry when dev is unregistered.<br /> <br /> syzkaller reported a warning in bcm_connect() below. [0]<br /> <br /> The repro calls connect() to vxcan1, removes vxcan1, and calls<br /> connect() with ifindex == 0.<br /> <br /> Calling connect() for a BCM socket allocates a proc entry.<br /> Then, bcm_sk(sk)-&gt;bound is set to 1 to prevent further connect().<br /> <br /> However, removing the bound device resets bcm_sk(sk)-&gt;bound to 0<br /> in bcm_notify().<br /> <br /> The 2nd connect() tries to allocate a proc entry with the same<br /> name and sets NULL to bcm_sk(sk)-&gt;bcm_proc_read, leaking the<br /> original proc entry.<br /> <br /> Since the proc entry is available only for connect()ed sockets,<br /> let&amp;#39;s clean up the entry when the bound netdev is unregistered.<br /> <br /> [0]:<br /> proc_dir_entry &amp;#39;can-bcm/2456&amp;#39; already registered<br /> WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375<br /> Modules linked in:<br /> CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375<br /> Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48<br /> RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246<br /> RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002<br /> RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0<br /> R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec<br /> FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220<br /> bcm_connect+0x472/0x840 net/can/bcm.c:1673<br /> __sys_connect_file net/socket.c:2049 [inline]<br /> __sys_connect+0x5d2/0x690 net/socket.c:2066<br /> __do_sys_connect net/socket.c:2076 [inline]<br /> __se_sys_connect net/socket.c:2073 [inline]<br /> __x64_sys_connect+0x8f/0x100 net/socket.c:2073<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> RIP: 0033:0x7fbd708b0e5d<br /> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48<br /> RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a<br /> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d<br /> RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003<br /> RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040<br /> R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098<br /> R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000<br /> <br /> remove_proc_entry: removing non-empty directory &amp;#39;net/can-bcm&amp;#39;, leaking at least &amp;#39;2456&amp;#39;