cve/published/2024/CVE-2024-56642.mbox

From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer().

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

tipc: Fix use-after-free of kernel socket in cleanup_bearer().

syzkaller reported a use-after-free of UDP kernel socket
in cleanup_bearer() without repro. [0][1]

When bearer_disable() calls tipc_udp_disable(), cleanup
of the UDP kernel socket is deferred by work calling
cleanup_bearer().

tipc_exit_net() waits for such works to finish by checking
tipc_net(net)->wq_count.  However, the work decrements the
count too early before releasing the kernel socket,
unblocking cleanup_net() and resulting in use-after-free.

Let's move the decrement after releasing the socket in
cleanup_bearer().

[0]:
ref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at
     sk_alloc+0x438/0x608
     inet_create+0x4c8/0xcb0
     __sock_create+0x350/0x6b8
     sock_create_kern+0x58/0x78
     udp_sock_create4+0x68/0x398
     udp_sock_create+0x88/0xc8
     tipc_udp_enable+0x5e8/0x848
     __tipc_nl_bearer_enable+0x84c/0xed8
     tipc_nl_bearer_enable+0x38/0x60
     genl_family_rcv_msg_doit+0x170/0x248
     genl_rcv_msg+0x400/0x5b0
     netlink_rcv_skb+0x1dc/0x398
     genl_rcv+0x44/0x68
     netlink_unicast+0x678/0x8b0
     netlink_sendmsg+0x5e4/0x898
     ____sys_sendmsg+0x500/0x830

[1]:
BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline]
BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979
 udp_hashslot include/net/udp.h:85 [inline]
 udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979
 sk_common_release+0xaf/0x3f0 net/core/sock.c:3820
 inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437
 inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489
 __sock_release net/socket.c:658 [inline]
 sock_release+0xa0/0x210 net/socket.c:686
 cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310
 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391
 kthread+0x531/0x6b0 kernel/kthread.c:389
 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244

Uninit was created at:
 slab_free_hook mm/slub.c:2269 [inline]
 slab_free mm/slub.c:4580 [inline]
 kmem_cache_free+0x207/0xc40 mm/slub.c:4682
 net_free net/core/net_namespace.c:454 [inline]
 cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310
 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391
 kthread+0x531/0x6b0 kernel/kthread.c:389
 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244

CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: events cleanup_bearer

The Linux kernel CVE team has assigned CVE-2024-56642 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.4.124 with commit d1f76dfadaf8f47ed1753f97dbcbd41c16215ffa and fixed in 5.4.287 with commit 4e69457f9dfae67435f3ccf29008768eae860415
	Issue introduced in 5.10.42 with commit 5195ec5e365a2a9331bfeb585b613a6e94f98dba and fixed in 5.10.231 with commit 650ee9a22d7a2de8999fac2d45983597a0c22359
	Issue introduced in 5.13 with commit 04c26faa51d1e2fe71cf13c45791f5174c37f986 and fixed in 5.15.174 with commit d2a4894f238551eae178904e7f45af87577074fd
	Issue introduced in 5.13 with commit 04c26faa51d1e2fe71cf13c45791f5174c37f986 and fixed in 6.1.120 with commit d62d5180c036eeac09f80660edc7a602b369125f
	Issue introduced in 5.13 with commit 04c26faa51d1e2fe71cf13c45791f5174c37f986 and fixed in 6.6.66 with commit d00d4470bf8c4282617a3a10e76b20a9c7e4cffa
	Issue introduced in 5.13 with commit 04c26faa51d1e2fe71cf13c45791f5174c37f986 and fixed in 6.12.5 with commit e48b211c4c59062cb6dd6c2c37c51a7cc235a464
	Issue introduced in 5.13 with commit 04c26faa51d1e2fe71cf13c45791f5174c37f986 and fixed in 6.13 with commit 6a2fa13312e51a621f652d522d7e2df7066330b6
	Issue introduced in 5.12.9 with commit b9f5b7ad4ac3af006443f535b1ce7bff1d130d7d

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56642
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/tipc/udp_media.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/4e69457f9dfae67435f3ccf29008768eae860415
	https://git.kernel.org/stable/c/650ee9a22d7a2de8999fac2d45983597a0c22359
	https://git.kernel.org/stable/c/d2a4894f238551eae178904e7f45af87577074fd
	https://git.kernel.org/stable/c/d62d5180c036eeac09f80660edc7a602b369125f
	https://git.kernel.org/stable/c/d00d4470bf8c4282617a3a10e76b20a9c7e4cffa
	https://git.kernel.org/stable/c/e48b211c4c59062cb6dd6c2c37c51a7cc235a464
	https://git.kernel.org/stable/c/6a2fa13312e51a621f652d522d7e2df7066330b6