| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-26923: af_unix: Fix garbage collector racing against connect() |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| af_unix: Fix garbage collector racing against connect() |
| |
| Garbage collector does not take into account the risk of embryo getting |
| enqueued during the garbage collection. If such embryo has a peer that |
| carries SCM_RIGHTS, two consecutive passes of scan_children() may see a |
| different set of children. Leading to an incorrectly elevated inflight |
| count, and then a dangling pointer within the gc_inflight_list. |
| |
| sockets are AF_UNIX/SOCK_STREAM |
| S is an unconnected socket |
| L is a listening in-flight socket bound to addr, not in fdtable |
| V's fd will be passed via sendmsg(), gets inflight count bumped |
| |
| connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() |
| ---------------- ------------------------- ----------- |
| |
| NS = unix_create1() |
| skb1 = sock_wmalloc(NS) |
| L = unix_find_other(addr) |
| unix_state_lock(L) |
| unix_peer(S) = NS |
| // V count=1 inflight=0 |
| |
| NS = unix_peer(S) |
| skb2 = sock_alloc() |
| skb_queue_tail(NS, skb2[V]) |
| |
| // V became in-flight |
| // V count=2 inflight=1 |
| |
| close(V) |
| |
| // V count=1 inflight=1 |
| // GC candidate condition met |
| |
| for u in gc_inflight_list: |
| if (total_refs == inflight_refs) |
| add u to gc_candidates |
| |
| // gc_candidates={L, V} |
| |
| for u in gc_candidates: |
| scan_children(u, dec_inflight) |
| |
| // embryo (skb1) was not |
| // reachable from L yet, so V's |
| // inflight remains unchanged |
| __skb_queue_tail(L, skb1) |
| unix_state_unlock(L) |
| for u in gc_candidates: |
| if (u.inflight) |
| scan_children(u, inc_inflight_move_tail) |
| |
| // V count=1 inflight=2 (!) |
| |
| If there is a GC-candidate listening socket, lock/unlock its state. This |
| makes GC wait until the end of any ongoing connect() to that socket. After |
| flipping the lock, a possibly SCM-laden embryo is already enqueued. And if |
| there is another embryo coming, it can not possibly carry SCM_RIGHTS. At |
| this point, unix_inflight() can not happen because unix_gc_lock is already |
| taken. Inflight graph remains unaffected. |
| |
| The Linux kernel CVE team has assigned CVE-2024-26923 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 2.6.23 with commit 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 and fixed in 4.19.314 with commit a36ae0ec2353015f0f6762e59f4c2dbc0c906423 |
| Issue introduced in 2.6.23 with commit 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 and fixed in 5.4.275 with commit 343c5372d5e17b306db5f8f3c895539b06e3177f |
| Issue introduced in 2.6.23 with commit 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 and fixed in 5.10.216 with commit 2e2a03787f4f0abc0072350654ab0ef3324d9db3 |
| Issue introduced in 2.6.23 with commit 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 and fixed in 5.15.156 with commit e76c2678228f6aec74b305ae30c9374cc2f28a51 |
| Issue introduced in 2.6.23 with commit 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 and fixed in 6.1.87 with commit b75722be422c276b699200de90527d01c602ea7c |
| Issue introduced in 2.6.23 with commit 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 and fixed in 6.6.28 with commit 507cc232ffe53a352847893f8177d276c3b532a9 |
| Issue introduced in 2.6.23 with commit 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 and fixed in 6.8.7 with commit dbdf7bec5c920200077d693193f989cb1513f009 |
| Issue introduced in 2.6.23 with commit 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 and fixed in 6.9 with commit 47d8ac011fe1c9251070e1bd64cb10b48193ec51 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-26923 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/unix/garbage.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423 |
| https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f |
| https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3 |
| https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51 |
| https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c |
| https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9 |
| https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009 |
| https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51 |
