CVE-2024-26732
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/04/2024
Last modified:
03/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: implement lockless setsockopt(SO_PEEK_OFF)<br />
<br />
syzbot reported a lockdep violation [1] involving af_unix<br />
support of SO_PEEK_OFF.<br />
<br />
Since SO_PEEK_OFF is inherently not thread safe (it uses a per-socket<br />
sk_peek_off field), there is really no point to enforce a pointless<br />
thread safety in the kernel.<br />
<br />
After this patch :<br />
<br />
- setsockopt(SO_PEEK_OFF) no longer acquires the socket lock.<br />
<br />
- skb_consume_udp() no longer has to acquire the socket lock.<br />
<br />
- af_unix no longer needs a special version of sk_set_peek_off(),<br />
because it does not lock u->iolock anymore.<br />
<br />
As a followup, we could replace prot->set_peek_off to be a boolean<br />
and avoid an indirect call, since we always use sk_set_peek_off().<br />
<br />
[1]<br />
<br />
WARNING: possible circular locking dependency detected<br />
6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0 Not tainted<br />
<br />
syz-executor.2/30025 is trying to acquire lock:<br />
ffff8880765e7d80 (&u->iolock){+.+.}-{3:3}, at: unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789<br />
<br />
but task is already holding lock:<br />
ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]<br />
ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]<br />
ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193<br />
<br />
which lock already depends on the new lock.<br />
<br />
the existing dependency chain (in reverse order) is:<br />
<br />
-> #1 (sk_lock-AF_UNIX){+.+.}-{0:0}:<br />
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754<br />
lock_sock_nested+0x48/0x100 net/core/sock.c:3524<br />
lock_sock include/net/sock.h:1691 [inline]<br />
__unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415<br />
sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046<br />
____sys_recvmsg+0x3c0/0x470 net/socket.c:2801<br />
___sys_recvmsg net/socket.c:2845 [inline]<br />
do_recvmmsg+0x474/0xae0 net/socket.c:2939<br />
__sys_recvmmsg net/socket.c:3018 [inline]<br />
__do_sys_recvmmsg net/socket.c:3041 [inline]<br />
__se_sys_recvmmsg net/socket.c:3034 [inline]<br />
__x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034<br />
do_syscall_64+0xf9/0x240<br />
entry_SYSCALL_64_after_hwframe+0x6f/0x77<br />
<br />
-> #0 (&u->iolock){+.+.}-{3:3}:<br />
check_prev_add kernel/locking/lockdep.c:3134 [inline]<br />
check_prevs_add kernel/locking/lockdep.c:3253 [inline]<br />
validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869<br />
__lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137<br />
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754<br />
__mutex_lock_common kernel/locking/mutex.c:608 [inline]<br />
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752<br />
unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789<br />
sk_setsockopt+0x207e/0x3360<br />
do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307<br />
__sys_setsockopt+0x1ad/0x250 net/socket.c:2334<br />
__do_sys_setsockopt net/socket.c:2343 [inline]<br />
__se_sys_setsockopt net/socket.c:2340 [inline]<br />
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340<br />
do_syscall_64+0xf9/0x240<br />
entry_SYSCALL_64_after_hwframe+0x6f/0x77<br />
<br />
other info that might help us debug this:<br />
<br />
Possible unsafe locking scenario:<br />
<br />
CPU0 CPU1<br />
---- ----<br />
lock(sk_lock-AF_UNIX);<br />
lock(&u->iolock);<br />
lock(sk_lock-AF_UNIX);<br />
lock(&u->iolock);<br />
<br />
*** DEADLOCK ***<br />
<br />
1 lock held by syz-executor.2/30025:<br />
#0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]<br />
#0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]<br />
#0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193<br />
<br />
stack backtrace:<br />
CPU: 0 PID: 30025 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0<br />
Hardware name: Google Google C<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.7.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page