cve/published/2024/CVE-2024-26782.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix double-free on socket dismantle\n\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\n\n  BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n  Free of addr ffff888485950880 by task swapper/25/0\n\n  CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n  Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0  07/26/2013\n  Call Trace:\n   <IRQ>\n   dump_stack_lvl+0x32/0x50\n   print_report+0xca/0x620\n   kasan_report_invalid_free+0x64/0x90\n   __kasan_slab_free+0x1aa/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   rcu_do_batch+0x34e/0xd90\n   rcu_core+0x559/0xac0\n   __do_softirq+0x183/0x5a4\n   irq_exit_rcu+0x12d/0x170\n   sysvec_apic_timer_interrupt+0x6b/0x80\n   </IRQ>\n   <TASK>\n   asm_sysvec_apic_timer_interrupt+0x16/0x20\n  RIP: 0010:cpuidle_enter_state+0x175/0x300\n  Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n  RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n  RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n  RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n  RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n  R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n  R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n   cpuidle_enter+0x4a/0xa0\n   do_idle+0x310/0x410\n   cpu_startup_entry+0x51/0x60\n   start_secondary+0x211/0x270\n   secondary_startup_64_no_verify+0x184/0x18b\n   </TASK>\n\n  Allocated by task 6853:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   __kmalloc+0x1eb/0x450\n   cipso_v4_sock_setattr+0x96/0x360\n   netlbl_sock_setattr+0x132/0x1f0\n   selinux_netlbl_socket_post_create+0x6c/0x110\n   selinux_socket_post_create+0x37b/0x7f0\n   security_socket_post_create+0x63/0xb0\n   __sock_create+0x305/0x450\n   __sys_socket_create.part.23+0xbd/0x130\n   __sys_socket+0x37/0xb0\n   __x64_sys_socket+0x6f/0xb0\n   do_syscall_64+0x83/0x160\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n  Freed by task 6858:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x3b/0x60\n   __kasan_slab_free+0x12c/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   subflow_ulp_release+0x1f0/0x250\n   tcp_cleanup_ulp+0x6e/0x110\n   tcp_v4_destroy_sock+0x5a/0x3a0\n   inet_csk_destroy_sock+0x135/0x390\n   tcp_fin+0x416/0x5c0\n   tcp_data_queue+0x1bc8/0x4310\n   tcp_rcv_state_process+0x15a3/0x47b0\n   tcp_v4_do_rcv+0x2c1/0x990\n   tcp_v4_rcv+0x41fb/0x5ed0\n   ip_protocol_deliver_rcu+0x6d/0x9f0\n   ip_local_deliver_finish+0x278/0x360\n   ip_local_deliver+0x182/0x2c0\n   ip_rcv+0xb5/0x1c0\n   __netif_receive_skb_one_core+0x16e/0x1b0\n   process_backlog+0x1e3/0x650\n   __napi_poll+0xa6/0x500\n   net_rx_action+0x740/0xbb0\n   __do_softirq+0x183/0x5a4\n\n  The buggy address belongs to the object at ffff888485950880\n   which belongs to the cache kmalloc-64 of size 64\n  The buggy address is located 0 bytes inside of\n   64-byte region [ffff888485950880, ffff8884859508c0)\n\n  The buggy address belongs to the physical page:\n  page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n  flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\n  page_type: 0xffffffff()\n  raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n  raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n  page dumped because: kasan: bad access detected\n\n  Memory state around the buggy address:\n   ffff888485950780: fa fb fb\n---truncated---"
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "net/mptcp/protocol.c"
                ],
                "versions": [
                   {
                      "version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be",
                      "lessThan": "f74362a004225df935863dea6eb7d82daaa5b16e",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be",
                      "lessThan": "4a4eeb6912538c2d0b158e8d11b62d96c1dada4e",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be",
                      "lessThan": "d93fd40c62397326046902a2c5cb75af50882a85",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be",
                      "lessThan": "ce0809ada38dca8d6d41bb57ab40494855c30582",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be",
                      "lessThan": "85933e80d077c9ae2227226beb86c22f464059cc",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be",
                      "lessThan": "10048689def7e40a4405acda16fdc6477d4ecc5c",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "net/mptcp/protocol.c"
                ],
                "versions": [
                   {
                      "version": "5.6",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "5.6",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.10.212",
                      "lessThanOrEqual": "5.10.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.15.151",
                      "lessThanOrEqual": "5.15.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.1.81",
                      "lessThanOrEqual": "6.1.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.6.21",
                      "lessThanOrEqual": "6.6.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.7.9",
                      "lessThanOrEqual": "6.7.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.8",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.6",
                            "versionEndExcluding": "5.10.212"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.6",
                            "versionEndExcluding": "5.15.151"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.6",
                            "versionEndExcluding": "6.1.81"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.6",
                            "versionEndExcluding": "6.6.21"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.6",
                            "versionEndExcluding": "6.7.9"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.6",
                            "versionEndExcluding": "6.8"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/f74362a004225df935863dea6eb7d82daaa5b16e"
             },
             {
                "url": "https://git.kernel.org/stable/c/4a4eeb6912538c2d0b158e8d11b62d96c1dada4e"
             },
             {
                "url": "https://git.kernel.org/stable/c/d93fd40c62397326046902a2c5cb75af50882a85"
             },
             {
                "url": "https://git.kernel.org/stable/c/ce0809ada38dca8d6d41bb57ab40494855c30582"
             },
             {
                "url": "https://git.kernel.org/stable/c/85933e80d077c9ae2227226beb86c22f464059cc"
             },
             {
                "url": "https://git.kernel.org/stable/c/10048689def7e40a4405acda16fdc6477d4ecc5c"
             }
          ],
          "title": "mptcp: fix double-free on socket dismantle",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2024-26782",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix double-free on socket dismantle\n\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\n\n BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n Free of addr ffff888485950880 by task swapper/25/0\n\n CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013\n Call Trace:\n <IRQ>\n dump_stack_lvl+0x32/0x50\n print_report+0xca/0x620\n kasan_report_invalid_free+0x64/0x90\n __kasan_slab_free+0x1aa/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n rcu_do_batch+0x34e/0xd90\n rcu_core+0x559/0xac0\n __do_softirq+0x183/0x5a4\n irq_exit_rcu+0x12d/0x170\n sysvec_apic_timer_interrupt+0x6b/0x80\n </IRQ>\n <TASK>\n asm_sysvec_apic_timer_interrupt+0x16/0x20\n RIP: 0010:cpuidle_enter_state+0x175/0x300\n Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n cpuidle_enter+0x4a/0xa0\n do_idle+0x310/0x410\n cpu_startup_entry+0x51/0x60\n start_secondary+0x211/0x270\n secondary_startup_64_no_verify+0x184/0x18b\n </TASK>\n\n Allocated by task 6853:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0xa6/0xb0\n __kmalloc+0x1eb/0x450\n cipso_v4_sock_setattr+0x96/0x360\n netlbl_sock_setattr+0x132/0x1f0\n selinux_netlbl_socket_post_create+0x6c/0x110\n selinux_socket_post_create+0x37b/0x7f0\n security_socket_post_create+0x63/0xb0\n __sock_create+0x305/0x450\n __sys_socket_create.part.23+0xbd/0x130\n __sys_socket+0x37/0xb0\n __x64_sys_socket+0x6f/0xb0\n do_syscall_64+0x83/0x160\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 6858:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x12c/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n subflow_ulp_release+0x1f0/0x250\n tcp_cleanup_ulp+0x6e/0x110\n tcp_v4_destroy_sock+0x5a/0x3a0\n inet_csk_destroy_sock+0x135/0x390\n tcp_fin+0x416/0x5c0\n tcp_data_queue+0x1bc8/0x4310\n tcp_rcv_state_process+0x15a3/0x47b0\n tcp_v4_do_rcv+0x2c1/0x990\n tcp_v4_rcv+0x41fb/0x5ed0\n ip_protocol_deliver_rcu+0x6d/0x9f0\n ip_local_deliver_finish+0x278/0x360\n ip_local_deliver+0x182/0x2c0\n ip_rcv+0xb5/0x1c0\n __netif_receive_skb_one_core+0x16e/0x1b0\n process_backlog+0x1e3/0x650\n __napi_poll+0xa6/0x500\n net_rx_action+0x740/0xbb0\n __do_softirq+0x183/0x5a4\n\n The buggy address belongs to the object at ffff888485950880\n which belongs to the cache kmalloc-64 of size 64\n The buggy address is located 0 bytes inside of\n 64-byte region [ffff888485950880, ffff8884859508c0)\n\n The buggy address belongs to the physical page:\n page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n flags: 0x57ffffc0000800(slab\|node=1\|zone=2\|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888485950780: fa fb fb\n---truncated---"
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"net/mptcp/protocol.c"
	],
	"versions": [
	{
	"version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be",
	"lessThan": "f74362a004225df935863dea6eb7d82daaa5b16e",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be",
	"lessThan": "4a4eeb6912538c2d0b158e8d11b62d96c1dada4e",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be",
	"lessThan": "d93fd40c62397326046902a2c5cb75af50882a85",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be",
	"lessThan": "ce0809ada38dca8d6d41bb57ab40494855c30582",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be",
	"lessThan": "85933e80d077c9ae2227226beb86c22f464059cc",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be",
	"lessThan": "10048689def7e40a4405acda16fdc6477d4ecc5c",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"net/mptcp/protocol.c"
	],
	"versions": [
	{
	"version": "5.6",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "5.6",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.10.212",
	"lessThanOrEqual": "5.10.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.15.151",
	"lessThanOrEqual": "5.15.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.1.81",
	"lessThanOrEqual": "6.1.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.6.21",
	"lessThanOrEqual": "6.6.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.7.9",
	"lessThanOrEqual": "6.7.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.8",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.6",
	"versionEndExcluding": "5.10.212"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.6",
	"versionEndExcluding": "5.15.151"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.6",
	"versionEndExcluding": "6.1.81"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.6",
	"versionEndExcluding": "6.6.21"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.6",
	"versionEndExcluding": "6.7.9"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.6",
	"versionEndExcluding": "6.8"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/f74362a004225df935863dea6eb7d82daaa5b16e"
	},
	{
	"url": "https://git.kernel.org/stable/c/4a4eeb6912538c2d0b158e8d11b62d96c1dada4e"
	},
	{
	"url": "https://git.kernel.org/stable/c/d93fd40c62397326046902a2c5cb75af50882a85"
	},
	{
	"url": "https://git.kernel.org/stable/c/ce0809ada38dca8d6d41bb57ab40494855c30582"
	},
	{
	"url": "https://git.kernel.org/stable/c/85933e80d077c9ae2227226beb86c22f464059cc"
	},
	{
	"url": "https://git.kernel.org/stable/c/10048689def7e40a4405acda16fdc6477d4ecc5c"
	}
	],
	"title": "mptcp: fix double-free on socket dismantle",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2024-26782",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}