cve/published/2024/CVE-2024-26676.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26676: af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.

 syzbot reported a warning [0] in __unix_gc() with a repro, which
 creates a socketpair and sends one socket's fd to itself using the
 peer.

   socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0
   sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}],
           msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET,
                                       cmsg_type=SCM_RIGHTS, cmsg_data=[3]}],
           msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1

 This forms a self-cyclic reference that GC should finally untangle
 but does not due to lack of MSG_OOB handling, resulting in memory
 leak.

 Recently, commit 11498715f266 ("af_unix: Remove io_uring code for
 GC.") removed io_uring's dead code in GC and revealed the problem.

 The code was executed at the final stage of GC and unconditionally
 moved all GC candidates from gc_candidates to gc_inflight_list.
 That papered over the reported problem by always making the following
 WARN_ON_ONCE(!list_empty(&gc_candidates)) false.

 The problem has been there since commit 2aab4b969002 ("af_unix: fix
 struct pid leaks in OOB support") added full scm support for MSG_OOB
 while fixing another bug.

 To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb
 if the socket still exists in gc_candidates after purging collected skb.

 Then, we need to set NULL to oob_skb before calling kfree_skb() because
 it calls last fput() and triggers unix_release_sock(), where we call
 duplicate kfree_skb(u->oob_skb) if not NULL.

 Note that the leaked socket remained being linked to a global list, so
 kmemleak also could not detect it.  We need to check /proc/net/protocol
 to notice the unfreed socket.

 [0]:
 WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345
 Modules linked in:
 CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
 Workqueue: events_unbound __unix_gc
 RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345
 Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8
 RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293
 RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e
 RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30
 RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66
 R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000
 R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001
 FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <TASK>
  process_one_work+0x889/0x15e0 kernel/workqueue.c:2633
  process_scheduled_works kernel/workqueue.c:2706 [inline]
  worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787
  kthread+0x2c6/0x3b0 kernel/kthread.c:388
  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
  </TASK>

 The Linux kernel CVE team has assigned CVE-2024-26676 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15.103 with commit f3969427fb06a2c3cd6efd7faab63505cfa76e76 and fixed in 5.15.149 with commit 4fe505c63aa3273135a57597fda761e9aecc7668
 	Issue introduced in 6.1.20 with commit ac1968ac399205fda9ee3b18f7de7416cb3a5d0d and fixed in 6.1.78 with commit e0e09186d8821ad59806115d347ea32efa43ca4b
 	Issue introduced in 6.3 with commit 2aab4b96900272885bc157f8b236abf1cdc02e08 and fixed in 6.6.17 with commit b74aa9ce13d02b7fd37c5325b99854f91b9b4276
 	Issue introduced in 6.3 with commit 2aab4b96900272885bc157f8b236abf1cdc02e08 and fixed in 6.7.5 with commit 82ae47c5c3a6b27fdc0f9e83c1499cb439c56140
 	Issue introduced in 6.3 with commit 2aab4b96900272885bc157f8b236abf1cdc02e08 and fixed in 6.8 with commit 1279f9d9dec2d7462823a18c29ad61359e0a007d
 	Issue introduced in 6.2.7 with commit a59d6306263c38e5c0592ea4451ca26a0778c947

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26676
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/unix/garbage.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4fe505c63aa3273135a57597fda761e9aecc7668
 	https://git.kernel.org/stable/c/e0e09186d8821ad59806115d347ea32efa43ca4b
 	https://git.kernel.org/stable/c/b74aa9ce13d02b7fd37c5325b99854f91b9b4276
 	https://git.kernel.org/stable/c/82ae47c5c3a6b27fdc0f9e83c1499cb439c56140
 	https://git.kernel.org/stable/c/1279f9d9dec2d7462823a18c29ad61359e0a007d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26676: af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.

	syzbot reported a warning [0] in __unix_gc() with a repro, which
	creates a socketpair and sends one socket's fd to itself using the
	peer.

	socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0
	sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}],
	msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET,
	cmsg_type=SCM_RIGHTS, cmsg_data=[3]}],
	msg_controllen=24, msg_flags=0}, MSG_OOB\|MSG_PROBE\|MSG_DONTWAIT\|MSG_ZEROCOPY) = 1

	This forms a self-cyclic reference that GC should finally untangle
	but does not due to lack of MSG_OOB handling, resulting in memory
	leak.

	Recently, commit 11498715f266 ("af_unix: Remove io_uring code for
	GC.") removed io_uring's dead code in GC and revealed the problem.

	The code was executed at the final stage of GC and unconditionally
	moved all GC candidates from gc_candidates to gc_inflight_list.
	That papered over the reported problem by always making the following
	WARN_ON_ONCE(!list_empty(&gc_candidates)) false.

	The problem has been there since commit 2aab4b969002 ("af_unix: fix
	struct pid leaks in OOB support") added full scm support for MSG_OOB
	while fixing another bug.

	To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb
	if the socket still exists in gc_candidates after purging collected skb.

	Then, we need to set NULL to oob_skb before calling kfree_skb() because
	it calls last fput() and triggers unix_release_sock(), where we call
	duplicate kfree_skb(u->oob_skb) if not NULL.

	Note that the leaked socket remained being linked to a global list, so
	kmemleak also could not detect it. We need to check /proc/net/protocol
	to notice the unfreed socket.

	[0]:
	WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345
	Modules linked in:
	CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
	Workqueue: events_unbound __unix_gc
	RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345
	Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8
	RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293
	RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e
	RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30
	RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66
	R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000
	R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001
	FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	process_one_work+0x889/0x15e0 kernel/workqueue.c:2633
	process_scheduled_works kernel/workqueue.c:2706 [inline]
	worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787
	kthread+0x2c6/0x3b0 kernel/kthread.c:388
	ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
	ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-26676 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15.103 with commit f3969427fb06a2c3cd6efd7faab63505cfa76e76 and fixed in 5.15.149 with commit 4fe505c63aa3273135a57597fda761e9aecc7668
	Issue introduced in 6.1.20 with commit ac1968ac399205fda9ee3b18f7de7416cb3a5d0d and fixed in 6.1.78 with commit e0e09186d8821ad59806115d347ea32efa43ca4b
	Issue introduced in 6.3 with commit 2aab4b96900272885bc157f8b236abf1cdc02e08 and fixed in 6.6.17 with commit b74aa9ce13d02b7fd37c5325b99854f91b9b4276
	Issue introduced in 6.3 with commit 2aab4b96900272885bc157f8b236abf1cdc02e08 and fixed in 6.7.5 with commit 82ae47c5c3a6b27fdc0f9e83c1499cb439c56140
	Issue introduced in 6.3 with commit 2aab4b96900272885bc157f8b236abf1cdc02e08 and fixed in 6.8 with commit 1279f9d9dec2d7462823a18c29ad61359e0a007d
	Issue introduced in 6.2.7 with commit a59d6306263c38e5c0592ea4451ca26a0778c947

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26676
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/unix/garbage.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4fe505c63aa3273135a57597fda761e9aecc7668
	https://git.kernel.org/stable/c/e0e09186d8821ad59806115d347ea32efa43ca4b
	https://git.kernel.org/stable/c/b74aa9ce13d02b7fd37c5325b99854f91b9b4276
	https://git.kernel.org/stable/c/82ae47c5c3a6b27fdc0f9e83c1499cb439c56140
	https://git.kernel.org/stable/c/1279f9d9dec2d7462823a18c29ad61359e0a007d