| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-26782: mptcp: fix double-free on socket dismantle |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| mptcp: fix double-free on socket dismantle |
| |
| when MPTCP server accepts an incoming connection, it clones its listener |
| socket. However, the pointer to 'inet_opt' for the new socket has the same |
| value as the original one: as a consequence, on program exit it's possible |
| to observe the following splat: |
| |
| BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 |
| Free of addr ffff888485950880 by task swapper/25/0 |
| |
| CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 |
| Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 |
| Call Trace: |
| <IRQ> |
| dump_stack_lvl+0x32/0x50 |
| print_report+0xca/0x620 |
| kasan_report_invalid_free+0x64/0x90 |
| __kasan_slab_free+0x1aa/0x1f0 |
| kfree+0xed/0x2e0 |
| inet_sock_destruct+0x54f/0x8b0 |
| __sk_destruct+0x48/0x5b0 |
| rcu_do_batch+0x34e/0xd90 |
| rcu_core+0x559/0xac0 |
| __do_softirq+0x183/0x5a4 |
| irq_exit_rcu+0x12d/0x170 |
| sysvec_apic_timer_interrupt+0x6b/0x80 |
| </IRQ> |
| <TASK> |
| asm_sysvec_apic_timer_interrupt+0x16/0x20 |
| RIP: 0010:cpuidle_enter_state+0x175/0x300 |
| Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b |
| RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 |
| RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 |
| RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 |
| RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 |
| R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 |
| R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 |
| cpuidle_enter+0x4a/0xa0 |
| do_idle+0x310/0x410 |
| cpu_startup_entry+0x51/0x60 |
| start_secondary+0x211/0x270 |
| secondary_startup_64_no_verify+0x184/0x18b |
| </TASK> |
| |
| Allocated by task 6853: |
| kasan_save_stack+0x1c/0x40 |
| kasan_save_track+0x10/0x30 |
| __kasan_kmalloc+0xa6/0xb0 |
| __kmalloc+0x1eb/0x450 |
| cipso_v4_sock_setattr+0x96/0x360 |
| netlbl_sock_setattr+0x132/0x1f0 |
| selinux_netlbl_socket_post_create+0x6c/0x110 |
| selinux_socket_post_create+0x37b/0x7f0 |
| security_socket_post_create+0x63/0xb0 |
| __sock_create+0x305/0x450 |
| __sys_socket_create.part.23+0xbd/0x130 |
| __sys_socket+0x37/0xb0 |
| __x64_sys_socket+0x6f/0xb0 |
| do_syscall_64+0x83/0x160 |
| entry_SYSCALL_64_after_hwframe+0x6e/0x76 |
| |
| Freed by task 6858: |
| kasan_save_stack+0x1c/0x40 |
| kasan_save_track+0x10/0x30 |
| kasan_save_free_info+0x3b/0x60 |
| __kasan_slab_free+0x12c/0x1f0 |
| kfree+0xed/0x2e0 |
| inet_sock_destruct+0x54f/0x8b0 |
| __sk_destruct+0x48/0x5b0 |
| subflow_ulp_release+0x1f0/0x250 |
| tcp_cleanup_ulp+0x6e/0x110 |
| tcp_v4_destroy_sock+0x5a/0x3a0 |
| inet_csk_destroy_sock+0x135/0x390 |
| tcp_fin+0x416/0x5c0 |
| tcp_data_queue+0x1bc8/0x4310 |
| tcp_rcv_state_process+0x15a3/0x47b0 |
| tcp_v4_do_rcv+0x2c1/0x990 |
| tcp_v4_rcv+0x41fb/0x5ed0 |
| ip_protocol_deliver_rcu+0x6d/0x9f0 |
| ip_local_deliver_finish+0x278/0x360 |
| ip_local_deliver+0x182/0x2c0 |
| ip_rcv+0xb5/0x1c0 |
| __netif_receive_skb_one_core+0x16e/0x1b0 |
| process_backlog+0x1e3/0x650 |
| __napi_poll+0xa6/0x500 |
| net_rx_action+0x740/0xbb0 |
| __do_softirq+0x183/0x5a4 |
| |
| The buggy address belongs to the object at ffff888485950880 |
| which belongs to the cache kmalloc-64 of size 64 |
| The buggy address is located 0 bytes inside of |
| 64-byte region [ffff888485950880, ffff8884859508c0) |
| |
| The buggy address belongs to the physical page: |
| page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 |
| flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) |
| page_type: 0xffffffff() |
| raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 |
| raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 |
| page dumped because: kasan: bad access detected |
| |
| Memory state around the buggy address: |
| ffff888485950780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc |
| ffff888485950800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc |
| >ffff888485950880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc |
| ^ |
| ffff888485950900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc |
| ffff888485950980: 00 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc |
| |
| Something similar (a refcount underflow) happens with CALIPSO/IPv6. Fix |
| this by duplicating IP / IPv6 options after clone, so that |
| ip{,6}_sock_destruct() doesn't end up freeing the same memory area twice. |
| |
| The Linux kernel CVE team has assigned CVE-2024-26782 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.6 with commit cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be and fixed in 5.10.212 with commit f74362a004225df935863dea6eb7d82daaa5b16e |
| Issue introduced in 5.6 with commit cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be and fixed in 5.15.151 with commit 4a4eeb6912538c2d0b158e8d11b62d96c1dada4e |
| Issue introduced in 5.6 with commit cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be and fixed in 6.1.81 with commit d93fd40c62397326046902a2c5cb75af50882a85 |
| Issue introduced in 5.6 with commit cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be and fixed in 6.6.21 with commit ce0809ada38dca8d6d41bb57ab40494855c30582 |
| Issue introduced in 5.6 with commit cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be and fixed in 6.7.9 with commit 85933e80d077c9ae2227226beb86c22f464059cc |
| Issue introduced in 5.6 with commit cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be and fixed in 6.8 with commit 10048689def7e40a4405acda16fdc6477d4ecc5c |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-26782 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/mptcp/protocol.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/f74362a004225df935863dea6eb7d82daaa5b16e |
| https://git.kernel.org/stable/c/4a4eeb6912538c2d0b158e8d11b62d96c1dada4e |
| https://git.kernel.org/stable/c/d93fd40c62397326046902a2c5cb75af50882a85 |
| https://git.kernel.org/stable/c/ce0809ada38dca8d6d41bb57ab40494855c30582 |
| https://git.kernel.org/stable/c/85933e80d077c9ae2227226beb86c22f464059cc |
| https://git.kernel.org/stable/c/10048689def7e40a4405acda16fdc6477d4ecc5c |
