cve/published/2024/CVE-2024-36972.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36972: af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.

 Billy Jheng Bing-Jhong reported a race between __unix_gc() and
 queue_oob().

 __unix_gc() tries to garbage-collect close()d inflight sockets,
 and then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC
 will drop the reference and set NULL to it locklessly.

 However, the peer socket still can send MSG_OOB message and
 queue_oob() can update unix_sk(sk)->oob_skb concurrently, leading
 NULL pointer dereference. [0]

 To fix the issue, let's update unix_sk(sk)->oob_skb under the
 sk_receive_queue's lock and take it everywhere we touch oob_skb.

 Note that we defer kfree_skb() in manage_oob() to silence lockdep
 false-positive (See [1]).

 [0]:
 BUG: kernel NULL pointer dereference, address: 0000000000000008
  PF: supervisor write access in kernel mode
  PF: error_code(0x0002) - not-present page
 PGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0
 Oops: 0002 [#1] PREEMPT SMP PTI
 CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
 Workqueue: events delayed_fput
 RIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847)
 Code: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc
 RSP: 0018:ffffc900001bfd48 EFLAGS: 00000002
 RAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9
 RDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00
 RBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001
 R10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00
 R13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80
 FS:  0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0
 PKRU: 55555554
 Call Trace:
  <TASK>
  unix_release_sock (net/unix/af_unix.c:654)
  unix_release (net/unix/af_unix.c:1050)
  __sock_release (net/socket.c:660)
  sock_close (net/socket.c:1423)
  __fput (fs/file_table.c:423)
  delayed_fput (fs/file_table.c:444 (discriminator 3))
  process_one_work (kernel/workqueue.c:3259)
  worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)
  kthread (kernel/kthread.c:388)
  ret_from_fork (arch/x86/kernel/process.c:153)
  ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
  </TASK>
 Modules linked in:
 CR2: 0000000000000008

 The Linux kernel CVE team has assigned CVE-2024-36972 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15.149 with commit 4fe505c63aa3273135a57597fda761e9aecc7668 and fixed in 5.15.161 with commit 518a994aa0b87d96f1bc6678a7035df5d1fcd7a1
 	Issue introduced in 6.1.78 with commit e0e09186d8821ad59806115d347ea32efa43ca4b and fixed in 6.1.93 with commit 4bf6964451c3cb411fbaa1ae8b214b3d97a59bf1
 	Issue introduced in 6.6.17 with commit b74aa9ce13d02b7fd37c5325b99854f91b9b4276 and fixed in 6.6.33 with commit d59ae9314b97e01c76a4171472441e55721ba636
 	Issue introduced in 6.8 with commit 1279f9d9dec2d7462823a18c29ad61359e0a007d and fixed in 6.9.4 with commit 4708f49add84a57ce0ccc7bf9a6269845c631cc3
 	Issue introduced in 6.8 with commit 1279f9d9dec2d7462823a18c29ad61359e0a007d and fixed in 6.10 with commit 9841991a446c87f90f66f4b9fee6fe934c1336a2
 	Issue introduced in 6.7.5 with commit 82ae47c5c3a6b27fdc0f9e83c1499cb439c56140

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36972
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/unix/af_unix.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/518a994aa0b87d96f1bc6678a7035df5d1fcd7a1
 	https://git.kernel.org/stable/c/4bf6964451c3cb411fbaa1ae8b214b3d97a59bf1
 	https://git.kernel.org/stable/c/d59ae9314b97e01c76a4171472441e55721ba636
 	https://git.kernel.org/stable/c/4708f49add84a57ce0ccc7bf9a6269845c631cc3
 	https://git.kernel.org/stable/c/9841991a446c87f90f66f4b9fee6fe934c1336a2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36972: af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.

	Billy Jheng Bing-Jhong reported a race between __unix_gc() and
	queue_oob().

	__unix_gc() tries to garbage-collect close()d inflight sockets,
	and then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC
	will drop the reference and set NULL to it locklessly.

	However, the peer socket still can send MSG_OOB message and
	queue_oob() can update unix_sk(sk)->oob_skb concurrently, leading
	NULL pointer dereference. [0]

	To fix the issue, let's update unix_sk(sk)->oob_skb under the
	sk_receive_queue's lock and take it everywhere we touch oob_skb.

	Note that we defer kfree_skb() in manage_oob() to silence lockdep
	false-positive (See [1]).

	[0]:
	BUG: kernel NULL pointer dereference, address: 0000000000000008
	PF: supervisor write access in kernel mode
	PF: error_code(0x0002) - not-present page
	PGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0
	Oops: 0002 [#1] PREEMPT SMP PTI
	CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
	Workqueue: events delayed_fput
	RIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847)
	Code: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc
	RSP: 0018:ffffc900001bfd48 EFLAGS: 00000002
	RAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9
	RDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00
	RBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001
	R10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00
	R13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80
	FS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0
	PKRU: 55555554
	Call Trace:
	<TASK>
	unix_release_sock (net/unix/af_unix.c:654)
	unix_release (net/unix/af_unix.c:1050)
	__sock_release (net/socket.c:660)
	sock_close (net/socket.c:1423)
	__fput (fs/file_table.c:423)
	delayed_fput (fs/file_table.c:444 (discriminator 3))
	process_one_work (kernel/workqueue.c:3259)
	worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)
	kthread (kernel/kthread.c:388)
	ret_from_fork (arch/x86/kernel/process.c:153)
	ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
	</TASK>
	Modules linked in:
	CR2: 0000000000000008

	The Linux kernel CVE team has assigned CVE-2024-36972 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15.149 with commit 4fe505c63aa3273135a57597fda761e9aecc7668 and fixed in 5.15.161 with commit 518a994aa0b87d96f1bc6678a7035df5d1fcd7a1
	Issue introduced in 6.1.78 with commit e0e09186d8821ad59806115d347ea32efa43ca4b and fixed in 6.1.93 with commit 4bf6964451c3cb411fbaa1ae8b214b3d97a59bf1
	Issue introduced in 6.6.17 with commit b74aa9ce13d02b7fd37c5325b99854f91b9b4276 and fixed in 6.6.33 with commit d59ae9314b97e01c76a4171472441e55721ba636
	Issue introduced in 6.8 with commit 1279f9d9dec2d7462823a18c29ad61359e0a007d and fixed in 6.9.4 with commit 4708f49add84a57ce0ccc7bf9a6269845c631cc3
	Issue introduced in 6.8 with commit 1279f9d9dec2d7462823a18c29ad61359e0a007d and fixed in 6.10 with commit 9841991a446c87f90f66f4b9fee6fe934c1336a2
	Issue introduced in 6.7.5 with commit 82ae47c5c3a6b27fdc0f9e83c1499cb439c56140

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36972
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/unix/af_unix.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/518a994aa0b87d96f1bc6678a7035df5d1fcd7a1
	https://git.kernel.org/stable/c/4bf6964451c3cb411fbaa1ae8b214b3d97a59bf1
	https://git.kernel.org/stable/c/d59ae9314b97e01c76a4171472441e55721ba636
	https://git.kernel.org/stable/c/4708f49add84a57ce0ccc7bf9a6269845c631cc3
	https://git.kernel.org/stable/c/9841991a446c87f90f66f4b9fee6fe934c1336a2