CVE-2024-53119

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtio/vsock: Fix accept_queue memory leak<br /> <br /> As the final stages of socket destruction may be delayed, it is possible<br /> that virtio_transport_recv_listen() will be called after the accept_queue<br /> has been flushed, but before the SOCK_DONE flag has been set. As a result,<br /> sockets enqueued after the flush would remain unremoved, leading to a<br /> memory leak.<br /> <br /> vsock_release<br /> __vsock_release<br /> lock<br /> virtio_transport_release<br /> virtio_transport_close<br /> schedule_delayed_work(close_work)<br /> sk_shutdown = SHUTDOWN_MASK<br /> (!) flush accept_queue<br /> release<br /> virtio_transport_recv_pkt<br /> vsock_find_bound_socket<br /> lock<br /> if flag(SOCK_DONE) return<br /> virtio_transport_recv_listen<br /> child = vsock_create_connected<br /> (!) vsock_enqueue_accept(child)<br /> release<br /> close_work<br /> lock<br /> virtio_transport_do_close<br /> set_flag(SOCK_DONE)<br /> virtio_transport_remove_sock<br /> vsock_remove_sock<br /> vsock_remove_bound<br /> release<br /> <br /> Introduce a sk_shutdown check to disallow vsock_enqueue_accept() during<br /> socket destruction.<br /> <br /> unreferenced object 0xffff888109e3f800 (size 2040):<br /> comm "kworker/5:2", pid 371, jiffies 4294940105<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............<br /> backtrace (crc 9e5f4e84):<br /> [] kmem_cache_alloc_noprof+0x2c1/0x360<br /> [] sk_prot_alloc+0x30/0x120<br /> [] sk_alloc+0x2c/0x4b0<br /> [] __vsock_create.constprop.0+0x2a/0x310<br /> [] virtio_transport_recv_pkt+0x4dc/0x9a0<br /> [] vsock_loopback_work+0xfd/0x140<br /> [] process_one_work+0x20c/0x570<br /> [] worker_thread+0x1bf/0x3a0<br /> [] kthread+0xdd/0x110<br /> [] ret_from_fork+0x2d/0x50<br /> [] ret_from_fork_asm+0x1a/0x30