CVE-2024-53124

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix data-races around sk-&gt;sk_forward_alloc<br /> <br /> Syzkaller reported this warning:<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> RIP: 0010:inet_sock_destruct+0x1c5/0x1e0<br /> Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00<br /> RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206<br /> RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007<br /> RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00<br /> RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007<br /> R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00<br /> R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78<br /> FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ? __warn+0x88/0x130<br /> ? inet_sock_destruct+0x1c5/0x1e0<br /> ? report_bug+0x18e/0x1a0<br /> ? handle_bug+0x53/0x90<br /> ? exc_invalid_op+0x18/0x70<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? inet_sock_destruct+0x1c5/0x1e0<br /> __sk_destruct+0x2a/0x200<br /> rcu_do_batch+0x1aa/0x530<br /> ? rcu_do_batch+0x13b/0x530<br /> rcu_core+0x159/0x2f0<br /> handle_softirqs+0xd3/0x2b0<br /> ? __pfx_smpboot_thread_fn+0x10/0x10<br /> run_ksoftirqd+0x25/0x30<br /> smpboot_thread_fn+0xdd/0x1d0<br /> kthread+0xd3/0x100<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x34/0x50<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> <br /> Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add()<br /> concurrently when sk-&gt;sk_state == TCP_LISTEN with sk-&gt;sk_lock unlocked,<br /> which triggers a data-race around sk-&gt;sk_forward_alloc:<br /> tcp_v6_rcv<br /> tcp_v6_do_rcv<br /> skb_clone_and_charge_r<br /> sk_rmem_schedule<br /> __sk_mem_schedule<br /> sk_forward_alloc_add()<br /> skb_set_owner_r<br /> sk_mem_charge<br /> sk_forward_alloc_add()<br /> __kfree_skb<br /> skb_release_all<br /> skb_release_head_state<br /> sock_rfree<br /> sk_mem_uncharge<br /> sk_forward_alloc_add()<br /> sk_mem_reclaim<br /> // set local var reclaimable<br /> __sk_mem_reclaim<br /> sk_forward_alloc_add()<br /> <br /> In this syzkaller testcase, two threads call<br /> tcp_v6_do_rcv() with skb-&gt;truesize=768, the sk_forward_alloc changes like<br /> this:<br /> (cpu 1) | (cpu 2) | sk_forward_alloc<br /> ... | ... | 0<br /> __sk_mem_schedule() | | +4096 = 4096<br /> | __sk_mem_schedule() | +4096 = 8192<br /> sk_mem_charge() | | -768 = 7424<br /> | sk_mem_charge() | -768 = 6656<br /> ... | ... |<br /> sk_mem_uncharge() | | +768 = 7424<br /> reclaimable=7424 | |<br /> | sk_mem_uncharge() | +768 = 8192<br /> | reclaimable=8192 |<br /> __sk_mem_reclaim() | | -4096 = 4096<br /> | __sk_mem_reclaim() | -8192 = -4096 != 0<br /> <br /> The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when<br /> sk-&gt;sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock().<br /> Fix the same issue in dccp_v6_do_rcv().