CVE-2024-26741

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().<br /> <br /> syzkaller reported a warning [0] in inet_csk_destroy_sock() with no<br /> repro.<br /> <br /> WARN_ON(inet_sk(sk)-&gt;inet_num &amp;&amp; !inet_csk(sk)-&gt;icsk_bind_hash);<br /> <br /> However, the syzkaller&amp;#39;s log hinted that connect() failed just before<br /> the warning due to FAULT_INJECTION. [1]<br /> <br /> When connect() is called for an unbound socket, we search for an<br /> available ephemeral port. If a bhash bucket exists for the port, we<br /> call __inet_check_established() or __inet6_check_established() to check<br /> if the bucket is reusable.<br /> <br /> If reusable, we add the socket into ehash and set inet_sk(sk)-&gt;inet_num.<br /> <br /> Later, we look up the corresponding bhash2 bucket and try to allocate<br /> it if it does not exist.<br /> <br /> Although it rarely occurs in real use, if the allocation fails, we must<br /> revert the changes by check_established(). Otherwise, an unconnected<br /> socket could illegally occupy an ehash entry.<br /> <br /> Note that we do not put tw back into ehash because sk might have<br /> already responded to a packet for tw and it would be better to free<br /> tw earlier under such memory presure.<br /> <br /> [0]:<br /> WARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)<br /> Modules linked in:<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)<br /> Code: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05<br /> RSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40<br /> RDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8<br /> RBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000<br /> R10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0<br /> R13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000<br /> FS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)<br /> dccp_close (net/dccp/proto.c:1078)<br /> inet_release (net/ipv4/af_inet.c:434)<br /> __sock_release (net/socket.c:660)<br /> sock_close (net/socket.c:1423)<br /> __fput (fs/file_table.c:377)<br /> __fput_sync (fs/file_table.c:462)<br /> __x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539)<br /> do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)<br /> RIP: 0033:0x7f03e53852bb<br /> Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44<br /> RSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003<br /> RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb<br /> RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003<br /> RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c<br /> R10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000<br /> R13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170<br /> <br /> <br /> [1]:<br /> FAULT_INJECTION: forcing a failure.<br /> name failslab, interval 1, probability 0, space 0, times 0<br /> CPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))<br /> should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)<br /> should_failslab (mm/slub.c:3748)<br /> kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867)<br /> inet_bind2_bucket_create <br /> ---truncated---