cve/published/2024/CVE-2024-40954.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-40954: net: do not leave a dangling sk pointer, when socket creation fails

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: do not leave a dangling sk pointer, when socket creation fails

 It is possible to trigger a use-after-free by:
   * attaching an fentry probe to __sock_release() and the probe calling the
     bpf_get_socket_cookie() helper
   * running traceroute -I 1.1.1.1 on a freshly booted VM

 A KASAN enabled kernel will log something like below (decoded and stripped):
 ==================================================================
 BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
 Read of size 8 at addr ffff888007110dd8 by task traceroute/299

 CPU: 2 PID: 299 Comm: traceroute Tainted: G            E      6.10.0-rc2+ #2
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
 Call Trace:
  <TASK>
 dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))
 print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
 ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
 kasan_report (mm/kasan/report.c:603)
 ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
 kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
 __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
 bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)
 bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e
 bpf_trampoline_6442506592+0x47/0xaf
 __sock_release (net/socket.c:652)
 __sock_create (net/socket.c:1601)
 ...
 Allocated by task 299 on cpu 2 at 78.328492s:
 kasan_save_stack (mm/kasan/common.c:48)
 kasan_save_track (mm/kasan/common.c:68)
 __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)
 kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)
 sk_prot_alloc (net/core/sock.c:2075)
 sk_alloc (net/core/sock.c:2134)
 inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)
 __sock_create (net/socket.c:1572)
 __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)
 __x64_sys_socket (net/socket.c:1718)
 do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

 Freed by task 299 on cpu 2 at 78.328502s:
 kasan_save_stack (mm/kasan/common.c:48)
 kasan_save_track (mm/kasan/common.c:68)
 kasan_save_free_info (mm/kasan/generic.c:582)
 poison_slab_object (mm/kasan/common.c:242)
 __kasan_slab_free (mm/kasan/common.c:256)
 kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)
 __sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)
 inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)
 __sock_create (net/socket.c:1572)
 __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)
 __x64_sys_socket (net/socket.c:1718)
 do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

 Fix this by clearing the struct socket reference in sk_common_release() to cover
 all protocol families create functions, which may already attached the
 reference to the sk object with sock_init_data().

 The Linux kernel CVE team has assigned CVE-2024-40954 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.12 with commit c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd and fixed in 5.15.162 with commit 78e4aa528a7b1204219d808310524344f627d069
 	Issue introduced in 5.12 with commit c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd and fixed in 6.1.96 with commit 893eeba94c40d513cd0fe6539330ebdaea208c0e
 	Issue introduced in 5.12 with commit c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd and fixed in 6.6.36 with commit 454c454ed645fed051216b79622f7cb69c1638f5
 	Issue introduced in 5.12 with commit c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd and fixed in 6.9.7 with commit 5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9
 	Issue introduced in 5.12 with commit c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd and fixed in 6.10 with commit 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-40954
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/core/sock.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/78e4aa528a7b1204219d808310524344f627d069
 	https://git.kernel.org/stable/c/893eeba94c40d513cd0fe6539330ebdaea208c0e
 	https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5
 	https://git.kernel.org/stable/c/5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9
 	https://git.kernel.org/stable/c/6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-40954: net: do not leave a dangling sk pointer, when socket creation fails

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: do not leave a dangling sk pointer, when socket creation fails

	It is possible to trigger a use-after-free by:
	* attaching an fentry probe to __sock_release() and the probe calling the
	bpf_get_socket_cookie() helper
	* running traceroute -I 1.1.1.1 on a freshly booted VM

	A KASAN enabled kernel will log something like below (decoded and stripped):
	==================================================================
	BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
	Read of size 8 at addr ffff888007110dd8 by task traceroute/299

	CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
	Call Trace:
	<TASK>
	dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))
	print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
	? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
	kasan_report (mm/kasan/report.c:603)
	? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
	kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
	__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
	bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)
	bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e
	bpf_trampoline_6442506592+0x47/0xaf
	__sock_release (net/socket.c:652)
	__sock_create (net/socket.c:1601)
	...
	Allocated by task 299 on cpu 2 at 78.328492s:
	kasan_save_stack (mm/kasan/common.c:48)
	kasan_save_track (mm/kasan/common.c:68)
	__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)
	kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)
	sk_prot_alloc (net/core/sock.c:2075)
	sk_alloc (net/core/sock.c:2134)
	inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)
	__sock_create (net/socket.c:1572)
	__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)
	__x64_sys_socket (net/socket.c:1718)
	do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
	entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

	Freed by task 299 on cpu 2 at 78.328502s:
	kasan_save_stack (mm/kasan/common.c:48)
	kasan_save_track (mm/kasan/common.c:68)
	kasan_save_free_info (mm/kasan/generic.c:582)
	poison_slab_object (mm/kasan/common.c:242)
	__kasan_slab_free (mm/kasan/common.c:256)
	kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)
	__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)
	inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)
	__sock_create (net/socket.c:1572)
	__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)
	__x64_sys_socket (net/socket.c:1718)
	do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
	entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

	Fix this by clearing the struct socket reference in sk_common_release() to cover
	all protocol families create functions, which may already attached the
	reference to the sk object with sock_init_data().

	The Linux kernel CVE team has assigned CVE-2024-40954 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.12 with commit c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd and fixed in 5.15.162 with commit 78e4aa528a7b1204219d808310524344f627d069
	Issue introduced in 5.12 with commit c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd and fixed in 6.1.96 with commit 893eeba94c40d513cd0fe6539330ebdaea208c0e
	Issue introduced in 5.12 with commit c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd and fixed in 6.6.36 with commit 454c454ed645fed051216b79622f7cb69c1638f5
	Issue introduced in 5.12 with commit c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd and fixed in 6.9.7 with commit 5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9
	Issue introduced in 5.12 with commit c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd and fixed in 6.10 with commit 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-40954
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/core/sock.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/78e4aa528a7b1204219d808310524344f627d069
	https://git.kernel.org/stable/c/893eeba94c40d513cd0fe6539330ebdaea208c0e
	https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5
	https://git.kernel.org/stable/c/5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9
	https://git.kernel.org/stable/c/6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2