CVE-2024-36489

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tls: fix missing memory barrier in tls_init<br /> <br /> In tls_init(), a write memory barrier is missing, and store-store<br /> reordering may cause NULL dereference in tls_{setsockopt,getsockopt}.<br /> <br /> CPU0 CPU1<br /> ----- -----<br /> // In tls_init()<br /> // In tls_ctx_create()<br /> ctx = kzalloc()<br /> ctx-&gt;sk_proto = READ_ONCE(sk-&gt;sk_prot) -(1)<br /> <br /> // In update_sk_prot()<br /> WRITE_ONCE(sk-&gt;sk_prot, tls_prots) -(2)<br /> <br /> // In sock_common_setsockopt()<br /> READ_ONCE(sk-&gt;sk_prot)-&gt;setsockopt()<br /> <br /> // In tls_{setsockopt,getsockopt}()<br /> ctx-&gt;sk_proto-&gt;setsockopt() -(3)<br /> <br /> In the above scenario, when (1) and (2) are reordered, (3) can observe<br /> the NULL value of ctx-&gt;sk_proto, causing NULL dereference.<br /> <br /> To fix it, we rely on rcu_assign_pointer() which implies the release<br /> barrier semantic. By moving rcu_assign_pointer() after ctx-&gt;sk_proto is<br /> initialized, we can ensure that ctx-&gt;sk_proto are visible when<br /> changing sk-&gt;sk_prot.