cve/published/2024/CVE-2024-53124.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53124: net: fix data-races around sk->sk_forward_alloc

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: fix data-races around sk->sk_forward_alloc

 Syzkaller reported this warning:
  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0
  Modules linked in:
  CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
  RIP: 0010:inet_sock_destruct+0x1c5/0x1e0
  Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00
  RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206
  RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007
  RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00
  RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007
  R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00
  R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78
  FS:  0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   <TASK>
   ? __warn+0x88/0x130
   ? inet_sock_destruct+0x1c5/0x1e0
   ? report_bug+0x18e/0x1a0
   ? handle_bug+0x53/0x90
   ? exc_invalid_op+0x18/0x70
   ? asm_exc_invalid_op+0x1a/0x20
   ? inet_sock_destruct+0x1c5/0x1e0
   __sk_destruct+0x2a/0x200
   rcu_do_batch+0x1aa/0x530
   ? rcu_do_batch+0x13b/0x530
   rcu_core+0x159/0x2f0
   handle_softirqs+0xd3/0x2b0
   ? __pfx_smpboot_thread_fn+0x10/0x10
   run_ksoftirqd+0x25/0x30
   smpboot_thread_fn+0xdd/0x1d0
   kthread+0xd3/0x100
   ? __pfx_kthread+0x10/0x10
   ret_from_fork+0x34/0x50
   ? __pfx_kthread+0x10/0x10
   ret_from_fork_asm+0x1a/0x30
   </TASK>
  ---[ end trace 0000000000000000 ]---

 Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add()
 concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked,
 which triggers a data-race around sk->sk_forward_alloc:
 tcp_v6_rcv
     tcp_v6_do_rcv
         skb_clone_and_charge_r
             sk_rmem_schedule
                 __sk_mem_schedule
                     sk_forward_alloc_add()
             skb_set_owner_r
                 sk_mem_charge
                     sk_forward_alloc_add()
         __kfree_skb
             skb_release_all
                 skb_release_head_state
                     sock_rfree
                         sk_mem_uncharge
                             sk_forward_alloc_add()
                             sk_mem_reclaim
                                 // set local var reclaimable
                                 __sk_mem_reclaim
                                     sk_forward_alloc_add()

 In this syzkaller testcase, two threads call
 tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like
 this:
  (cpu 1)             | (cpu 2)             | sk_forward_alloc
  ...                 | ...                 | 0
  __sk_mem_schedule() |                     | +4096 = 4096
                      | __sk_mem_schedule() | +4096 = 8192
  sk_mem_charge()     |                     | -768  = 7424
                      | sk_mem_charge()     | -768  = 6656
  ...                 |    ...              |
  sk_mem_uncharge()   |                     | +768  = 7424
  reclaimable=7424    |                     |
                      | sk_mem_uncharge()   | +768  = 8192
                      | reclaimable=8192    |
  __sk_mem_reclaim()  |                     | -4096 = 4096
                      | __sk_mem_reclaim()  | -8192 = -4096 != 0

 The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when
 sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock().
 Fix the same issue in dccp_v6_do_rcv().

 The Linux kernel CVE team has assigned CVE-2024-53124 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 5.4.290 with commit 695fb0b9aecfd5dd5b2946ba8897ac2c1eef654d
 	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 5.10.234 with commit fe2c0bd6d1e29ccefdc978b9a290571c93c27473
 	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 5.15.177 with commit c3d052cae566ec2285f5999958a5deb415a0f59e
 	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 6.1.127 with commit be7c61ea5f816168c38955eb4e898adc8b4b32fd
 	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 6.6.74 with commit 3f51f8c9d28954cf380100883a02eed35a8277e9
 	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 6.11.10 with commit d285eb9d0641c8344f2836081b4ccb7b3c5cc1b6
 	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 6.12 with commit 073d89808c065ac4c672c0a613a71b27a80691cb

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53124
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/dccp/ipv6.c
 	net/ipv6/tcp_ipv6.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/695fb0b9aecfd5dd5b2946ba8897ac2c1eef654d
 	https://git.kernel.org/stable/c/fe2c0bd6d1e29ccefdc978b9a290571c93c27473
 	https://git.kernel.org/stable/c/c3d052cae566ec2285f5999958a5deb415a0f59e
 	https://git.kernel.org/stable/c/be7c61ea5f816168c38955eb4e898adc8b4b32fd
 	https://git.kernel.org/stable/c/3f51f8c9d28954cf380100883a02eed35a8277e9
 	https://git.kernel.org/stable/c/d285eb9d0641c8344f2836081b4ccb7b3c5cc1b6
 	https://git.kernel.org/stable/c/073d89808c065ac4c672c0a613a71b27a80691cb
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53124: net: fix data-races around sk->sk_forward_alloc

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: fix data-races around sk->sk_forward_alloc

	Syzkaller reported this warning:
	------------[ cut here ]------------
	WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0
	Modules linked in:
	CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
	RIP: 0010:inet_sock_destruct+0x1c5/0x1e0
	Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00
	RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206
	RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007
	RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00
	RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007
	R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00
	R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78
	FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	? __warn+0x88/0x130
	? inet_sock_destruct+0x1c5/0x1e0
	? report_bug+0x18e/0x1a0
	? handle_bug+0x53/0x90
	? exc_invalid_op+0x18/0x70
	? asm_exc_invalid_op+0x1a/0x20
	? inet_sock_destruct+0x1c5/0x1e0
	__sk_destruct+0x2a/0x200
	rcu_do_batch+0x1aa/0x530
	? rcu_do_batch+0x13b/0x530
	rcu_core+0x159/0x2f0
	handle_softirqs+0xd3/0x2b0
	? __pfx_smpboot_thread_fn+0x10/0x10
	run_ksoftirqd+0x25/0x30
	smpboot_thread_fn+0xdd/0x1d0
	kthread+0xd3/0x100
	? __pfx_kthread+0x10/0x10
	ret_from_fork+0x34/0x50
	? __pfx_kthread+0x10/0x10
	ret_from_fork_asm+0x1a/0x30
	</TASK>
	---[ end trace 0000000000000000 ]---

	Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add()
	concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked,
	which triggers a data-race around sk->sk_forward_alloc:
	tcp_v6_rcv
	tcp_v6_do_rcv
	skb_clone_and_charge_r
	sk_rmem_schedule
	__sk_mem_schedule
	sk_forward_alloc_add()
	skb_set_owner_r
	sk_mem_charge
	sk_forward_alloc_add()
	__kfree_skb
	skb_release_all
	skb_release_head_state
	sock_rfree
	sk_mem_uncharge
	sk_forward_alloc_add()
	sk_mem_reclaim
	// set local var reclaimable
	__sk_mem_reclaim
	sk_forward_alloc_add()

	In this syzkaller testcase, two threads call
	tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like
	this:
	(cpu 1) \| (cpu 2) \| sk_forward_alloc
	... \| ... \| 0
	__sk_mem_schedule() \| \| +4096 = 4096
	\| __sk_mem_schedule() \| +4096 = 8192
	sk_mem_charge() \| \| -768 = 7424
	\| sk_mem_charge() \| -768 = 6656
	... \| ... \|
	sk_mem_uncharge() \| \| +768 = 7424
	reclaimable=7424 \| \|
	\| sk_mem_uncharge() \| +768 = 8192
	\| reclaimable=8192 \|
	__sk_mem_reclaim() \| \| -4096 = 4096
	\| __sk_mem_reclaim() \| -8192 = -4096 != 0

	The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when
	sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock().
	Fix the same issue in dccp_v6_do_rcv().

	The Linux kernel CVE team has assigned CVE-2024-53124 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 5.4.290 with commit 695fb0b9aecfd5dd5b2946ba8897ac2c1eef654d
	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 5.10.234 with commit fe2c0bd6d1e29ccefdc978b9a290571c93c27473
	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 5.15.177 with commit c3d052cae566ec2285f5999958a5deb415a0f59e
	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 6.1.127 with commit be7c61ea5f816168c38955eb4e898adc8b4b32fd
	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 6.6.74 with commit 3f51f8c9d28954cf380100883a02eed35a8277e9
	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 6.11.10 with commit d285eb9d0641c8344f2836081b4ccb7b3c5cc1b6
	Issue introduced in 4.4 with commit e994b2f0fb9229aeff5eea9541320bd7b2ca8714 and fixed in 6.12 with commit 073d89808c065ac4c672c0a613a71b27a80691cb

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53124
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/dccp/ipv6.c
	net/ipv6/tcp_ipv6.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/695fb0b9aecfd5dd5b2946ba8897ac2c1eef654d
	https://git.kernel.org/stable/c/fe2c0bd6d1e29ccefdc978b9a290571c93c27473
	https://git.kernel.org/stable/c/c3d052cae566ec2285f5999958a5deb415a0f59e
	https://git.kernel.org/stable/c/be7c61ea5f816168c38955eb4e898adc8b4b32fd
	https://git.kernel.org/stable/c/3f51f8c9d28954cf380100883a02eed35a8277e9
	https://git.kernel.org/stable/c/d285eb9d0641c8344f2836081b4ccb7b3c5cc1b6
	https://git.kernel.org/stable/c/073d89808c065ac4c672c0a613a71b27a80691cb