CVE-2024-50186

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: explicitly clear the sk pointer, when pf-&gt;create fails<br /> <br /> We have recently noticed the exact same KASAN splat as in commit<br /> 6cd4a78d962b ("net: do not leave a dangling sk pointer, when socket<br /> creation fails"). The problem is that commit did not fully address the<br /> problem, as some pf-&gt;create implementations do not use sk_common_release<br /> in their error paths.<br /> <br /> For example, we can use the same reproducer as in the above commit, but<br /> changing ping to arping. arping uses AF_PACKET socket and if packet_create<br /> fails, it will just sk_free the allocated sk object.<br /> <br /> While we could chase all the pf-&gt;create implementations and make sure they<br /> NULL the freed sk object on error from the socket, we can&amp;#39;t guarantee<br /> future protocols will not make the same mistake.<br /> <br /> So it is easier to just explicitly NULL the sk pointer upon return from<br /> pf-&gt;create in __sock_create. We do know that pf-&gt;create always releases the<br /> allocated sk object on error, so if the pointer is not NULL, it is<br /> definitely dangling.