cve/published/2024/CVE-2024-26750.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26750: af_unix: Drop oob_skb ref before purging queue in GC.

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 af_unix: Drop oob_skb ref before purging queue in GC.

 syzbot reported another task hung in __unix_gc().  [0]

 The current while loop assumes that all of the left candidates
 have oob_skb and calling kfree_skb(oob_skb) releases the remaining
 candidates.

 However, I missed a case that oob_skb has self-referencing fd and
 another fd and the latter sk is placed before the former in the
 candidate list.  Then, the while loop never proceeds, resulting
 the task hung.

 __unix_gc() has the same loop just before purging the collected skb,
 so we can call kfree_skb(oob_skb) there and let __skb_queue_purge()
 release all inflight sockets.

 [0]:
 Sending NMI from CPU 0 to CPUs 1:
 NMI backtrace for cpu 1
 CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
 Workqueue: events_unbound __unix_gc
 RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200
 Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70
 RSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287
 RAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80
 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
 RBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84
 R10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee
 R13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840
 FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <NMI>
  </NMI>
  <TASK>
  __unix_gc+0xe69/0xf40 net/unix/garbage.c:343
  process_one_work kernel/workqueue.c:2633 [inline]
  process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
  worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
  kthread+0x2ef/0x390 kernel/kthread.c:388
  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
  </TASK>

 The Linux kernel CVE team has assigned CVE-2024-26750 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15.149 with commit 36f7371de977f805750748e80279be7e370df85c and fixed in 5.15.151 with commit 6c480d0f131862645d172ca9e25dc152b1a5c3a6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26750
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/unix/garbage.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6c480d0f131862645d172ca9e25dc152b1a5c3a6
 	https://git.kernel.org/stable/c/c4c795b21dd23d9514ae1c6646c3fb2c78b5be60
 	https://git.kernel.org/stable/c/e9eac260369d0cf57ea53df95427125725507a0d
 	https://git.kernel.org/stable/c/43ba9e331559a30000c862eea313248707afa787
 	https://git.kernel.org/stable/c/aa82ac51d63328714645c827775d64dbfd9941f3
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26750: af_unix: Drop oob_skb ref before purging queue in GC.

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	af_unix: Drop oob_skb ref before purging queue in GC.

	syzbot reported another task hung in __unix_gc(). [0]

	The current while loop assumes that all of the left candidates
	have oob_skb and calling kfree_skb(oob_skb) releases the remaining
	candidates.

	However, I missed a case that oob_skb has self-referencing fd and
	another fd and the latter sk is placed before the former in the
	candidate list. Then, the while loop never proceeds, resulting
	the task hung.

	__unix_gc() has the same loop just before purging the collected skb,
	so we can call kfree_skb(oob_skb) there and let __skb_queue_purge()
	release all inflight sockets.

	[0]:
	Sending NMI from CPU 0 to CPUs 1:
	NMI backtrace for cpu 1
	CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
	Workqueue: events_unbound __unix_gc
	RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200
	Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70
	RSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287
	RAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80
	RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
	RBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84
	R10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee
	R13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840
	FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<NMI>
	</NMI>
	<TASK>
	__unix_gc+0xe69/0xf40 net/unix/garbage.c:343
	process_one_work kernel/workqueue.c:2633 [inline]
	process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
	worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
	kthread+0x2ef/0x390 kernel/kthread.c:388
	ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
	ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-26750 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15.149 with commit 36f7371de977f805750748e80279be7e370df85c and fixed in 5.15.151 with commit 6c480d0f131862645d172ca9e25dc152b1a5c3a6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26750
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/unix/garbage.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6c480d0f131862645d172ca9e25dc152b1a5c3a6
	https://git.kernel.org/stable/c/c4c795b21dd23d9514ae1c6646c3fb2c78b5be60
	https://git.kernel.org/stable/c/e9eac260369d0cf57ea53df95427125725507a0d
	https://git.kernel.org/stable/c/43ba9e331559a30000c862eea313248707afa787
	https://git.kernel.org/stable/c/aa82ac51d63328714645c827775d64dbfd9941f3