cve/published/2024/CVE-2024-56643.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56643: dccp: Fix memory leak in dccp_feat_change_recv

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 dccp: Fix memory leak in dccp_feat_change_recv

 If dccp_feat_push_confirm() fails after new value for SP feature was accepted
 without reconciliation ('entry == NULL' branch), memory allocated for that value
 with dccp_feat_clone_sp_val() is never freed.

 Here is the kmemleak stack for this:

 unreferenced object 0xffff88801d4ab488 (size 8):
   comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s)
   hex dump (first 8 bytes):
     01 b4 4a 1d 80 88 ff ff                          ..J.....
   backtrace:
     [<00000000db7cabfe>] kmemdup+0x23/0x50 mm/util.c:128
     [<0000000019b38405>] kmemdup include/linux/string.h:465 [inline]
     [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline]
     [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline]
     [<0000000019b38405>] dccp_feat_change_recv net/dccp/feat.c:1145 [inline]
     [<0000000019b38405>] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416
     [<00000000b1f6d94a>] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125
     [<0000000030d7b621>] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650
     [<000000001f74c72e>] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688
     [<00000000a6c24128>] sk_backlog_rcv include/net/sock.h:1041 [inline]
     [<00000000a6c24128>] __release_sock+0x139/0x3b0 net/core/sock.c:2570
     [<00000000cf1f3a53>] release_sock+0x54/0x1b0 net/core/sock.c:3111
     [<000000008422fa23>] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline]
     [<000000008422fa23>] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696
     [<0000000015b6f64d>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735
     [<0000000010122488>] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865
     [<00000000b4b70023>] __sys_connect+0x165/0x1a0 net/socket.c:1882
     [<00000000f4cb3815>] __do_sys_connect net/socket.c:1892 [inline]
     [<00000000f4cb3815>] __se_sys_connect net/socket.c:1889 [inline]
     [<00000000f4cb3815>] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889
     [<00000000e7b1e839>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
     [<0000000055e91434>] entry_SYSCALL_64_after_hwframe+0x67/0xd1

 Clean up the allocated memory in case of dccp_feat_push_confirm() failure
 and bail out with an error reset code.

 Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

 The Linux kernel CVE team has assigned CVE-2024-56643 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 5.4.287 with commit 623be080ab3c13d71570bd32f7202a8efa8e2252
 	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 5.10.231 with commit c99507fff94b926fc92279c92d80f229c91cb85d
 	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 5.15.174 with commit bc3d4423def1a9412a0ae454cb4477089ab79276
 	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 6.1.120 with commit 6ff67909ee2ffad911e3122616df41dee23ff4f6
 	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 6.6.66 with commit d3ec686a369fae5034303061f003cd3f94ddfd23
 	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 6.12.5 with commit 9ee68b0f23706a77f53c832457b9384178b76421
 	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 6.13 with commit 22be4727a8f898442066bcac34f8a1ad0bc72e14

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56643
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/dccp/feat.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/623be080ab3c13d71570bd32f7202a8efa8e2252
 	https://git.kernel.org/stable/c/c99507fff94b926fc92279c92d80f229c91cb85d
 	https://git.kernel.org/stable/c/bc3d4423def1a9412a0ae454cb4477089ab79276
 	https://git.kernel.org/stable/c/6ff67909ee2ffad911e3122616df41dee23ff4f6
 	https://git.kernel.org/stable/c/d3ec686a369fae5034303061f003cd3f94ddfd23
 	https://git.kernel.org/stable/c/9ee68b0f23706a77f53c832457b9384178b76421
 	https://git.kernel.org/stable/c/22be4727a8f898442066bcac34f8a1ad0bc72e14
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56643: dccp: Fix memory leak in dccp_feat_change_recv

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	dccp: Fix memory leak in dccp_feat_change_recv

	If dccp_feat_push_confirm() fails after new value for SP feature was accepted
	without reconciliation ('entry == NULL' branch), memory allocated for that value
	with dccp_feat_clone_sp_val() is never freed.

	Here is the kmemleak stack for this:

	unreferenced object 0xffff88801d4ab488 (size 8):
	comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s)
	hex dump (first 8 bytes):
	01 b4 4a 1d 80 88 ff ff ..J.....
	backtrace:
	[<00000000db7cabfe>] kmemdup+0x23/0x50 mm/util.c:128
	[<0000000019b38405>] kmemdup include/linux/string.h:465 [inline]
	[<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline]
	[<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline]
	[<0000000019b38405>] dccp_feat_change_recv net/dccp/feat.c:1145 [inline]
	[<0000000019b38405>] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416
	[<00000000b1f6d94a>] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125
	[<0000000030d7b621>] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650
	[<000000001f74c72e>] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688
	[<00000000a6c24128>] sk_backlog_rcv include/net/sock.h:1041 [inline]
	[<00000000a6c24128>] __release_sock+0x139/0x3b0 net/core/sock.c:2570
	[<00000000cf1f3a53>] release_sock+0x54/0x1b0 net/core/sock.c:3111
	[<000000008422fa23>] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline]
	[<000000008422fa23>] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696
	[<0000000015b6f64d>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735
	[<0000000010122488>] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865
	[<00000000b4b70023>] __sys_connect+0x165/0x1a0 net/socket.c:1882
	[<00000000f4cb3815>] __do_sys_connect net/socket.c:1892 [inline]
	[<00000000f4cb3815>] __se_sys_connect net/socket.c:1889 [inline]
	[<00000000f4cb3815>] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889
	[<00000000e7b1e839>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
	[<0000000055e91434>] entry_SYSCALL_64_after_hwframe+0x67/0xd1

	Clean up the allocated memory in case of dccp_feat_push_confirm() failure
	and bail out with an error reset code.

	Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

	The Linux kernel CVE team has assigned CVE-2024-56643 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 5.4.287 with commit 623be080ab3c13d71570bd32f7202a8efa8e2252
	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 5.10.231 with commit c99507fff94b926fc92279c92d80f229c91cb85d
	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 5.15.174 with commit bc3d4423def1a9412a0ae454cb4477089ab79276
	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 6.1.120 with commit 6ff67909ee2ffad911e3122616df41dee23ff4f6
	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 6.6.66 with commit d3ec686a369fae5034303061f003cd3f94ddfd23
	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 6.12.5 with commit 9ee68b0f23706a77f53c832457b9384178b76421
	Issue introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 and fixed in 6.13 with commit 22be4727a8f898442066bcac34f8a1ad0bc72e14

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56643
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/dccp/feat.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/623be080ab3c13d71570bd32f7202a8efa8e2252
	https://git.kernel.org/stable/c/c99507fff94b926fc92279c92d80f229c91cb85d
	https://git.kernel.org/stable/c/bc3d4423def1a9412a0ae454cb4477089ab79276
	https://git.kernel.org/stable/c/6ff67909ee2ffad911e3122616df41dee23ff4f6
	https://git.kernel.org/stable/c/d3ec686a369fae5034303061f003cd3f94ddfd23
	https://git.kernel.org/stable/c/9ee68b0f23706a77f53c832457b9384178b76421
	https://git.kernel.org/stable/c/22be4727a8f898442066bcac34f8a1ad0bc72e14