cve/published/2024/CVE-2024-26780.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26780: af_unix: Fix task hung while purging oob_skb in GC.

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 af_unix: Fix task hung while purging oob_skb in GC.

 syzbot reported a task hung; at the same time, GC was looping infinitely
 in list_for_each_entry_safe() for OOB skb.  [0]

 syzbot demonstrated that the list_for_each_entry_safe() was not actually
 safe in this case.

 A single skb could have references for multiple sockets.  If we free such
 a skb in the list_for_each_entry_safe(), the current and next sockets could
 be unlinked in a single iteration.

 unix_notinflight() uses list_del_init() to unlink the socket, so the
 prefetched next socket forms a loop itself and list_for_each_entry_safe()
 never stops.

 Here, we must use while() and make sure we always fetch the first socket.

 [0]:
 Sending NMI from CPU 0 to CPUs 1:
 NMI backtrace for cpu 1
 CPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
 RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]
 RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
 RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207
 Code: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74
 RSP: 0018:ffffc900033efa58 EFLAGS: 00000283
 RAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189
 RDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70
 RBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c
 R10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800
 R13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001
 FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <NMI>
  </NMI>
  <TASK>
  unix_gc+0x563/0x13b0 net/unix/garbage.c:319
  unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683
  unix_release+0x91/0xf0 net/unix/af_unix.c:1064
  __sock_release+0xb0/0x270 net/socket.c:659
  sock_close+0x1c/0x30 net/socket.c:1421
  __fput+0x270/0xb80 fs/file_table.c:376
  task_work_run+0x14f/0x250 kernel/task_work.c:180
  exit_task_work include/linux/task_work.h:38 [inline]
  do_exit+0xa8a/0x2ad0 kernel/exit.c:871
  do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
  __do_sys_exit_group kernel/exit.c:1031 [inline]
  __se_sys_exit_group kernel/exit.c:1029 [inline]
  __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x6f/0x77
 RIP: 0033:0x7f9d6cbdac09
 Code: Unable to access opcode bytes at 0x7f9d6cbdabdf.
 RSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09
 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
 RBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006
 R10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0
 R13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70
  </TASK>

 The Linux kernel CVE team has assigned CVE-2024-26780 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1.78 with commit e0e09186d8821ad59806115d347ea32efa43ca4b and fixed in 6.1.81 with commit 2a3d40b4025fcfe51b04924979f1653993b17669
 	Issue introduced in 6.6.17 with commit b74aa9ce13d02b7fd37c5325b99854f91b9b4276 and fixed in 6.6.21 with commit 69e0f04460f4037e01e29f0d9675544f62aafca3
 	Issue introduced in 6.7.5 with commit 82ae47c5c3a6b27fdc0f9e83c1499cb439c56140 and fixed in 6.7.9 with commit cb8890318dde26fc89c6ea67d6e9070ab50b6e91

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26780
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/unix/garbage.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/36f7371de977f805750748e80279be7e370df85c
 	https://git.kernel.org/stable/c/2a3d40b4025fcfe51b04924979f1653993b17669
 	https://git.kernel.org/stable/c/69e0f04460f4037e01e29f0d9675544f62aafca3
 	https://git.kernel.org/stable/c/cb8890318dde26fc89c6ea67d6e9070ab50b6e91
 	https://git.kernel.org/stable/c/25236c91b5ab4a26a56ba2e79b8060cf4e047839
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26780: af_unix: Fix task hung while purging oob_skb in GC.

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	af_unix: Fix task hung while purging oob_skb in GC.

	syzbot reported a task hung; at the same time, GC was looping infinitely
	in list_for_each_entry_safe() for OOB skb. [0]

	syzbot demonstrated that the list_for_each_entry_safe() was not actually
	safe in this case.

	A single skb could have references for multiple sockets. If we free such
	a skb in the list_for_each_entry_safe(), the current and next sockets could
	be unlinked in a single iteration.

	unix_notinflight() uses list_del_init() to unlink the socket, so the
	prefetched next socket forms a loop itself and list_for_each_entry_safe()
	never stops.

	Here, we must use while() and make sure we always fetch the first socket.

	[0]:
	Sending NMI from CPU 0 to CPUs 1:
	NMI backtrace for cpu 1
	CPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
	RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]
	RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
	RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207
	Code: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74
	RSP: 0018:ffffc900033efa58 EFLAGS: 00000283
	RAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189
	RDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70
	RBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c
	R10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800
	R13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001
	FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<NMI>
	</NMI>
	<TASK>
	unix_gc+0x563/0x13b0 net/unix/garbage.c:319
	unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683
	unix_release+0x91/0xf0 net/unix/af_unix.c:1064
	__sock_release+0xb0/0x270 net/socket.c:659
	sock_close+0x1c/0x30 net/socket.c:1421
	__fput+0x270/0xb80 fs/file_table.c:376
	task_work_run+0x14f/0x250 kernel/task_work.c:180
	exit_task_work include/linux/task_work.h:38 [inline]
	do_exit+0xa8a/0x2ad0 kernel/exit.c:871
	do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
	__do_sys_exit_group kernel/exit.c:1031 [inline]
	__se_sys_exit_group kernel/exit.c:1029 [inline]
	__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x6f/0x77
	RIP: 0033:0x7f9d6cbdac09
	Code: Unable to access opcode bytes at 0x7f9d6cbdabdf.
	RSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
	RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09
	RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
	RBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006
	R10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0
	R13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-26780 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1.78 with commit e0e09186d8821ad59806115d347ea32efa43ca4b and fixed in 6.1.81 with commit 2a3d40b4025fcfe51b04924979f1653993b17669
	Issue introduced in 6.6.17 with commit b74aa9ce13d02b7fd37c5325b99854f91b9b4276 and fixed in 6.6.21 with commit 69e0f04460f4037e01e29f0d9675544f62aafca3
	Issue introduced in 6.7.5 with commit 82ae47c5c3a6b27fdc0f9e83c1499cb439c56140 and fixed in 6.7.9 with commit cb8890318dde26fc89c6ea67d6e9070ab50b6e91

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26780
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/unix/garbage.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/36f7371de977f805750748e80279be7e370df85c
	https://git.kernel.org/stable/c/2a3d40b4025fcfe51b04924979f1653993b17669
	https://git.kernel.org/stable/c/69e0f04460f4037e01e29f0d9675544f62aafca3
	https://git.kernel.org/stable/c/cb8890318dde26fc89c6ea67d6e9070ab50b6e91
	https://git.kernel.org/stable/c/25236c91b5ab4a26a56ba2e79b8060cf4e047839