CVE-2024-46858

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: pm: Fix uaf in __timer_delete_sync<br /> <br /> There are two paths to access mptcp_pm_del_add_timer, result in a race<br /> condition:<br /> <br /> CPU1 CPU2<br /> ==== ====<br /> net_rx_action<br /> napi_poll netlink_sendmsg<br /> __napi_poll netlink_unicast<br /> process_backlog netlink_unicast_kernel<br /> __netif_receive_skb genl_rcv<br /> __netif_receive_skb_one_core netlink_rcv_skb<br /> NF_HOOK genl_rcv_msg<br /> ip_local_deliver_finish genl_family_rcv_msg<br /> ip_protocol_deliver_rcu genl_family_rcv_msg_doit<br /> tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit<br /> tcp_v4_do_rcv mptcp_nl_remove_addrs_list<br /> tcp_rcv_established mptcp_pm_remove_addrs_and_subflows<br /> tcp_data_queue remove_anno_list_by_saddr<br /> mptcp_incoming_options mptcp_pm_del_add_timer<br /> mptcp_pm_del_add_timer kfree(entry)<br /> <br /> In remove_anno_list_by_saddr(running on CPU2), after leaving the critical<br /> zone protected by "pm.lock", the entry will be released, which leads to the<br /> occurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).<br /> <br /> Keeping a reference to add_timer inside the lock, and calling<br /> sk_stop_timer_sync() with this reference, instead of "entry-&gt;add_timer".<br /> <br /> Move list_del(&amp;entry-&gt;list) to mptcp_pm_del_add_timer and inside the pm lock,<br /> do not directly access any members of the entry outside the pm lock, which<br /> can avoid similar "entry-&gt;x" uaf.