Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2024 / CVE-2024-53124.json
blob: 730b5066772c32540e7edf7252e4fb44aefdda8d [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix data-races around sk->sk_forward_alloc\n\nSyzkaller reported this warning:\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0\n Modules linked in:\n CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:inet_sock_destruct+0x1c5/0x1e0\n Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00\n RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206\n RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007\n RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00\n RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007\n R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00\n R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78\n FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n <TASK>\n ? __warn+0x88/0x130\n ? inet_sock_destruct+0x1c5/0x1e0\n ? report_bug+0x18e/0x1a0\n ? handle_bug+0x53/0x90\n ? exc_invalid_op+0x18/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? inet_sock_destruct+0x1c5/0x1e0\n __sk_destruct+0x2a/0x200\n rcu_do_batch+0x1aa/0x530\n ? rcu_do_batch+0x13b/0x530\n rcu_core+0x159/0x2f0\n handle_softirqs+0xd3/0x2b0\n ? __pfx_smpboot_thread_fn+0x10/0x10\n run_ksoftirqd+0x25/0x30\n smpboot_thread_fn+0xdd/0x1d0\n kthread+0xd3/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n ---[ end trace 0000000000000000 ]---\n\nIts possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add()\nconcurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked,\nwhich triggers a data-race around sk->sk_forward_alloc:\ntcp_v6_rcv\n tcp_v6_do_rcv\n skb_clone_and_charge_r\n sk_rmem_schedule\n __sk_mem_schedule\n sk_forward_alloc_add()\n skb_set_owner_r\n sk_mem_charge\n sk_forward_alloc_add()\n __kfree_skb\n skb_release_all\n skb_release_head_state\n sock_rfree\n sk_mem_uncharge\n sk_forward_alloc_add()\n sk_mem_reclaim\n // set local var reclaimable\n __sk_mem_reclaim\n sk_forward_alloc_add()\n\nIn this syzkaller testcase, two threads call\ntcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like\nthis:\n (cpu 1) | (cpu 2) | sk_forward_alloc\n ... | ... | 0\n __sk_mem_schedule() | | +4096 = 4096\n | __sk_mem_schedule() | +4096 = 8192\n sk_mem_charge() | | -768 = 7424\n | sk_mem_charge() | -768 = 6656\n ... | ... |\n sk_mem_uncharge() | | +768 = 7424\n reclaimable=7424 | |\n | sk_mem_uncharge() | +768 = 8192\n | reclaimable=8192 |\n __sk_mem_reclaim() | | -4096 = 4096\n | __sk_mem_reclaim() | -8192 = -4096 != 0\n\nThe skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when\nsk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock().\nFix the same issue in dccp_v6_do_rcv()."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/dccp/ipv6.c",
"net/ipv6/tcp_ipv6.c"
],
"versions": [
{
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"lessThan": "695fb0b9aecfd5dd5b2946ba8897ac2c1eef654d",
"status": "affected",
"versionType": "git"
},
{
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"lessThan": "fe2c0bd6d1e29ccefdc978b9a290571c93c27473",
"status": "affected",
"versionType": "git"
},
{
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"lessThan": "c3d052cae566ec2285f5999958a5deb415a0f59e",
"status": "affected",
"versionType": "git"
},
{
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"lessThan": "be7c61ea5f816168c38955eb4e898adc8b4b32fd",
"status": "affected",
"versionType": "git"
},
{
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"lessThan": "3f51f8c9d28954cf380100883a02eed35a8277e9",
"status": "affected",
"versionType": "git"
},
{
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"lessThan": "d285eb9d0641c8344f2836081b4ccb7b3c5cc1b6",
"status": "affected",
"versionType": "git"
},
{
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"lessThan": "073d89808c065ac4c672c0a613a71b27a80691cb",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/dccp/ipv6.c",
"net/ipv6/tcp_ipv6.c"
],
"versions": [
{
"version": "4.4",
"status": "affected"
},
{
"version": "0",
"lessThan": "4.4",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.290",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.234",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.177",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.127",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.74",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.10",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4",
"versionEndExcluding": "5.4.290"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4",
"versionEndExcluding": "5.10.234"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4",
"versionEndExcluding": "5.15.177"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4",
"versionEndExcluding": "6.1.127"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4",
"versionEndExcluding": "6.6.74"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4",
"versionEndExcluding": "6.11.10"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4",
"versionEndExcluding": "6.12"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/695fb0b9aecfd5dd5b2946ba8897ac2c1eef654d"
},
{
"url": "https://git.kernel.org/stable/c/fe2c0bd6d1e29ccefdc978b9a290571c93c27473"
},
{
"url": "https://git.kernel.org/stable/c/c3d052cae566ec2285f5999958a5deb415a0f59e"
},
{
"url": "https://git.kernel.org/stable/c/be7c61ea5f816168c38955eb4e898adc8b4b32fd"
},
{
"url": "https://git.kernel.org/stable/c/3f51f8c9d28954cf380100883a02eed35a8277e9"
},
{
"url": "https://git.kernel.org/stable/c/d285eb9d0641c8344f2836081b4ccb7b3c5cc1b6"
},
{
"url": "https://git.kernel.org/stable/c/073d89808c065ac4c672c0a613a71b27a80691cb"
}
],
"title": "net: fix data-races around sk->sk_forward_alloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2024-53124",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}