Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-26782

Severity CVSS v4.0:
Pending analysis
Type:
CWE-415 Double Free
Publication date:
04/04/2024
Last modified:
10/01/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix double-free on socket dismantle<br /> <br /> when MPTCP server accepts an incoming connection, it clones its listener<br /> socket. However, the pointer to &amp;#39;inet_opt&amp;#39; for the new socket has the same<br /> value as the original one: as a consequence, on program exit it&amp;#39;s possible<br /> to observe the following splat:<br /> <br /> BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0<br /> Free of addr ffff888485950880 by task swapper/25/0<br /> <br /> CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609<br /> Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x32/0x50<br /> print_report+0xca/0x620<br /> kasan_report_invalid_free+0x64/0x90<br /> __kasan_slab_free+0x1aa/0x1f0<br /> kfree+0xed/0x2e0<br /> inet_sock_destruct+0x54f/0x8b0<br /> __sk_destruct+0x48/0x5b0<br /> rcu_do_batch+0x34e/0xd90<br /> rcu_core+0x559/0xac0<br /> __do_softirq+0x183/0x5a4<br /> irq_exit_rcu+0x12d/0x170<br /> sysvec_apic_timer_interrupt+0x6b/0x80<br /> <br /> <br /> asm_sysvec_apic_timer_interrupt+0x16/0x20<br /> RIP: 0010:cpuidle_enter_state+0x175/0x300<br /> Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b<br /> RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202<br /> RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000<br /> RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588<br /> RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080<br /> R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0<br /> R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80<br /> cpuidle_enter+0x4a/0xa0<br /> do_idle+0x310/0x410<br /> cpu_startup_entry+0x51/0x60<br /> start_secondary+0x211/0x270<br /> secondary_startup_64_no_verify+0x184/0x18b<br /> <br /> <br /> Allocated by task 6853:<br /> kasan_save_stack+0x1c/0x40<br /> kasan_save_track+0x10/0x30<br /> __kasan_kmalloc+0xa6/0xb0<br /> __kmalloc+0x1eb/0x450<br /> cipso_v4_sock_setattr+0x96/0x360<br /> netlbl_sock_setattr+0x132/0x1f0<br /> selinux_netlbl_socket_post_create+0x6c/0x110<br /> selinux_socket_post_create+0x37b/0x7f0<br /> security_socket_post_create+0x63/0xb0<br /> __sock_create+0x305/0x450<br /> __sys_socket_create.part.23+0xbd/0x130<br /> __sys_socket+0x37/0xb0<br /> __x64_sys_socket+0x6f/0xb0<br /> do_syscall_64+0x83/0x160<br /> entry_SYSCALL_64_after_hwframe+0x6e/0x76<br /> <br /> Freed by task 6858:<br /> kasan_save_stack+0x1c/0x40<br /> kasan_save_track+0x10/0x30<br /> kasan_save_free_info+0x3b/0x60<br /> __kasan_slab_free+0x12c/0x1f0<br /> kfree+0xed/0x2e0<br /> inet_sock_destruct+0x54f/0x8b0<br /> __sk_destruct+0x48/0x5b0<br /> subflow_ulp_release+0x1f0/0x250<br /> tcp_cleanup_ulp+0x6e/0x110<br /> tcp_v4_destroy_sock+0x5a/0x3a0<br /> inet_csk_destroy_sock+0x135/0x390<br /> tcp_fin+0x416/0x5c0<br /> tcp_data_queue+0x1bc8/0x4310<br /> tcp_rcv_state_process+0x15a3/0x47b0<br /> tcp_v4_do_rcv+0x2c1/0x990<br /> tcp_v4_rcv+0x41fb/0x5ed0<br /> ip_protocol_deliver_rcu+0x6d/0x9f0<br /> ip_local_deliver_finish+0x278/0x360<br /> ip_local_deliver+0x182/0x2c0<br /> ip_rcv+0xb5/0x1c0<br /> __netif_receive_skb_one_core+0x16e/0x1b0<br /> process_backlog+0x1e3/0x650<br /> __napi_poll+0xa6/0x500<br /> net_rx_action+0x740/0xbb0<br /> __do_softirq+0x183/0x5a4<br /> <br /> The buggy address belongs to the object at ffff888485950880<br /> which belongs to the cache kmalloc-64 of size 64<br /> The buggy address is located 0 bytes inside of<br /> 64-byte region [ffff888485950880, ffff8884859508c0)<br /> <br /> The buggy address belongs to the physical page:<br /> page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950<br /> flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)<br /> page_type: 0xffffffff()<br /> raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006<br /> raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff888485950780: fa fb fb<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.6 (including) 5.10.212 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.151 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.81 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.21 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.7.9 (excluding)
cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools