| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue\n\nFix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which\nsyzbot reported [1].\n\n[1]\nBUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue\n\nwrite to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:\n sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]\n sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843\n sk_psock_put include/linux/skmsg.h:459 [inline]\n sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648\n unix_release+0x4b/0x80 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0x68/0x150 net/socket.c:1421\n __fput+0x2c1/0x660 fs/file_table.c:422\n __fput_sync+0x44/0x60 fs/file_table.c:507\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close+0x101/0x1b0 fs/open.c:1541\n __x64_sys_close+0x1f/0x30 fs/open.c:1541\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:\n sk_psock_data_ready include/linux/skmsg.h:464 [inline]\n sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555\n sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606\n sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]\n sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202\n unix_read_skb net/unix/af_unix.c:2546 [inline]\n unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682\n sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223\n unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x140/0x180 net/socket.c:745\n ____sys_sendmsg+0x312/0x410 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x1e9/0x280 net/socket.c:2667\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nvalue changed: 0xffffffff83d7feb0 -> 0x0000000000000000\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\n\nPrior to this, commit 4cd12c6065df (\"bpf, sockmap: Fix NULL pointer\ndereference in sk_psock_verdict_data_ready()\") fixed one NULL pointer\nsimilarly due to no protection of saved_data_ready. Here is another\ndifferent caller causing the same issue because of the same reason. So\nwe should protect it with sk_callback_lock read lock because the writer\nside in the sk_psock_drop() uses \"write_lock_bh(&sk->sk_callback_lock);\".\n\nTo avoid errors that could happen in future, I move those two pairs of\nlock into the sk_psock_data_ready(), which is suggested by John Fastabend." |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "include/linux/skmsg.h", |
| "net/core/skmsg.c" |
| ], |
| "versions": [ |
| { |
| "version": "604326b41a6fb9b4a78b6179335decee0365cd8c", |
| "lessThan": "c0809c128dad4c3413818384eb06a341633db973", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "604326b41a6fb9b4a78b6179335decee0365cd8c", |
| "lessThan": "5965bc7535fb87510b724e5465ccc1a1cf00916d", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "604326b41a6fb9b4a78b6179335decee0365cd8c", |
| "lessThan": "39dc9e1442385d6e9be0b6491ee488dddd55ae27", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "604326b41a6fb9b4a78b6179335decee0365cd8c", |
| "lessThan": "b397a0ab8582c533ec0c6b732392f141fc364f87", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "604326b41a6fb9b4a78b6179335decee0365cd8c", |
| "lessThan": "772d5729b5ff0df0d37b32db600ce635b2172f80", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "604326b41a6fb9b4a78b6179335decee0365cd8c", |
| "lessThan": "6648e613226e18897231ab5e42ffc29e63fa3365", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "include/linux/skmsg.h", |
| "net/core/skmsg.c" |
| ], |
| "versions": [ |
| { |
| "version": "4.20", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "4.20", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.10.223", |
| "lessThanOrEqual": "5.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.159", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.1.91", |
| "lessThanOrEqual": "6.1.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.6.31", |
| "lessThanOrEqual": "6.6.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.8.10", |
| "lessThanOrEqual": "6.8.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.9", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.20", |
| "versionEndExcluding": "5.10.223" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.20", |
| "versionEndExcluding": "5.15.159" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.20", |
| "versionEndExcluding": "6.1.91" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.20", |
| "versionEndExcluding": "6.6.31" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.20", |
| "versionEndExcluding": "6.8.10" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.20", |
| "versionEndExcluding": "6.9" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/c0809c128dad4c3413818384eb06a341633db973" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/5965bc7535fb87510b724e5465ccc1a1cf00916d" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/b397a0ab8582c533ec0c6b732392f141fc364f87" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/772d5729b5ff0df0d37b32db600ce635b2172f80" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/6648e613226e18897231ab5e42ffc29e63fa3365" |
| } |
| ], |
| "title": "bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2024-36938", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
