CVE-2024-53168

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket<br /> <br /> BUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0<br /> Read of size 1 at addr ffff888111f322cd by task swapper/0/0<br /> <br /> CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x68/0xa0<br /> print_address_description.constprop.0+0x2c/0x3d0<br /> print_report+0xb4/0x270<br /> kasan_report+0xbd/0xf0<br /> tcp_write_timer_handler+0x156/0x3e0<br /> tcp_write_timer+0x66/0x170<br /> call_timer_fn+0xfb/0x1d0<br /> __run_timers+0x3f8/0x480<br /> run_timer_softirq+0x9b/0x100<br /> handle_softirqs+0x153/0x390<br /> __irq_exit_rcu+0x103/0x120<br /> irq_exit_rcu+0xe/0x20<br /> sysvec_apic_timer_interrupt+0x76/0x90<br /> <br /> <br /> asm_sysvec_apic_timer_interrupt+0x1a/0x20<br /> RIP: 0010:default_idle+0xf/0x20<br /> Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90<br /> 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 f8 25 00 fb f4 c3 cc cc cc<br /> cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90<br /> RSP: 0018:ffffffffa2007e28 EFLAGS: 00000242<br /> RAX: 00000000000f3b31 RBX: 1ffffffff4400fc7 RCX: ffffffffa09c3196<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9f00590f<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102360835d<br /> R10: ffff88811b041aeb R11: 0000000000000001 R12: 0000000000000000<br /> R13: ffffffffa202d7c0 R14: 0000000000000000 R15: 00000000000147d0<br /> default_idle_call+0x6b/0xa0<br /> cpuidle_idle_call+0x1af/0x1f0<br /> do_idle+0xbc/0x130<br /> cpu_startup_entry+0x33/0x40<br /> rest_init+0x11f/0x210<br /> start_kernel+0x39a/0x420<br /> x86_64_start_reservations+0x18/0x30<br /> x86_64_start_kernel+0x97/0xa0<br /> common_startup_64+0x13e/0x141<br /> <br /> <br /> Allocated by task 595:<br /> kasan_save_stack+0x24/0x50<br /> kasan_save_track+0x14/0x30<br /> __kasan_slab_alloc+0x87/0x90<br /> kmem_cache_alloc_noprof+0x12b/0x3f0<br /> copy_net_ns+0x94/0x380<br /> create_new_namespaces+0x24c/0x500<br /> unshare_nsproxy_namespaces+0x75/0xf0<br /> ksys_unshare+0x24e/0x4f0<br /> __x64_sys_unshare+0x1f/0x30<br /> do_syscall_64+0x70/0x180<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Freed by task 100:<br /> kasan_save_stack+0x24/0x50<br /> kasan_save_track+0x14/0x30<br /> kasan_save_free_info+0x3b/0x60<br /> __kasan_slab_free+0x54/0x70<br /> kmem_cache_free+0x156/0x5d0<br /> cleanup_net+0x5d3/0x670<br /> process_one_work+0x776/0xa90<br /> worker_thread+0x2e2/0x560<br /> kthread+0x1a8/0x1f0<br /> ret_from_fork+0x34/0x60<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Reproduction script:<br /> <br /> mkdir -p /mnt/nfsshare<br /> mkdir -p /mnt/nfs/netns_1<br /> mkfs.ext4 /dev/sdb<br /> mount /dev/sdb /mnt/nfsshare<br /> systemctl restart nfs-server<br /> chmod 777 /mnt/nfsshare<br /> exportfs -i -o rw,no_root_squash *:/mnt/nfsshare<br /> <br /> ip netns add netns_1<br /> ip link add name veth_1_peer type veth peer veth_1<br /> ifconfig veth_1_peer 11.11.0.254 up<br /> ip link set veth_1 netns netns_1<br /> ip netns exec netns_1 ifconfig veth_1 11.11.0.1<br /> <br /> ip netns exec netns_1 /root/iptables -A OUTPUT -d 11.11.0.254 -p tcp \<br /> --tcp-flags FIN FIN -j DROP<br /> <br /> (note: In my environment, a DESTROY_CLIENTID operation is always sent<br /> immediately, breaking the nfs tcp connection.)<br /> ip netns exec netns_1 timeout -s 9 300 mount -t nfs -o proto=tcp,vers=4.1 \<br /> 11.11.0.254:/mnt/nfsshare /mnt/nfs/netns_1<br /> <br /> ip netns del netns_1<br /> <br /> The reason here is that the tcp socket in netns_1 (nfs side) has been<br /> shutdown and closed (done in xs_destroy), but the FIN message (with ack)<br /> is discarded, and the nfsd side keeps sending retransmission messages.<br /> As a result, when the tcp sock in netns_1 processes the received message,<br /> it sends the message (FIN message) in the sending queue, and the tcp timer<br /> is re-established. When the network namespace is deleted, the net structure<br /> accessed by tcp&amp;#39;s timer handler function causes problems.<br /> <br /> To fix this problem, let&amp;#39;s hold netns refcnt for the tcp kernel socket as<br /> done in other modules. This is an ugly hack which can easily be backported<br /> to earlier kernels. A proper fix which cleans up the interfaces will<br /> follow, but may not be so easy to backport.