| From bippy-1.1.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-56658: net: defer final 'struct net' free in netns dismantle |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| net: defer final 'struct net' free in netns dismantle |
| |
| Ilya reported a slab-use-after-free in dst_destroy [1] |
| |
| Issue is in xfrm6_net_init() and xfrm4_net_init() : |
| |
| They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. |
| |
| But net structure might be freed before all the dst callbacks are |
| called. So when dst_destroy() calls later : |
| |
| if (dst->ops->destroy) |
| dst->ops->destroy(dst); |
| |
| dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. |
| |
| See a relevant issue fixed in : |
| |
| ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") |
| |
| A fix is to queue the 'struct net' to be freed after one |
| another cleanup_net() round (and existing rcu_barrier()) |
| |
| [1] |
| |
| BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) |
| Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 |
| Dec 03 05:46:18 kernel: |
| CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 |
| Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 |
| Call Trace: |
| <IRQ> |
| dump_stack_lvl (lib/dump_stack.c:124) |
| print_address_description.constprop.0 (mm/kasan/report.c:378) |
| ? dst_destroy (net/core/dst.c:112) |
| print_report (mm/kasan/report.c:489) |
| ? dst_destroy (net/core/dst.c:112) |
| ? kasan_addr_to_slab (mm/kasan/common.c:37) |
| kasan_report (mm/kasan/report.c:603) |
| ? dst_destroy (net/core/dst.c:112) |
| ? rcu_do_batch (kernel/rcu/tree.c:2567) |
| dst_destroy (net/core/dst.c:112) |
| rcu_do_batch (kernel/rcu/tree.c:2567) |
| ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) |
| ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) |
| rcu_core (kernel/rcu/tree.c:2825) |
| handle_softirqs (kernel/softirq.c:554) |
| __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) |
| irq_exit_rcu (kernel/softirq.c:651) |
| sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) |
| </IRQ> |
| <TASK> |
| asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) |
| RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) |
| Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 |
| RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 |
| RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 |
| RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 |
| RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d |
| R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 |
| R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 |
| ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) |
| ? cpuidle_idle_call (kernel/sched/idle.c:186) |
| default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) |
| cpuidle_idle_call (kernel/sched/idle.c:186) |
| ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) |
| ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) |
| ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) |
| ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) |
| do_idle (kernel/sched/idle.c:326) |
| cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) |
| start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) |
| ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) |
| ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) |
| common_startup_64 (arch/x86/kernel/head_64.S:414) |
| </TASK> |
| Dec 03 05:46:18 kernel: |
| Allocated by task 12184: |
| kasan_save_stack (mm/kasan/common.c:48) |
| kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) |
| __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) |
| kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) |
| copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) |
| create_new_namespaces (kernel/nsproxy.c:110) |
| unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4)) |
| ksys_unshare (kernel/fork.c:3313) |
| __x64_sys_unshare (kernel/fork.c:3382) |
| do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) |
| entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) |
| Dec 03 05:46:18 kernel: |
| Freed by task 11: |
| kasan_save_stack (mm/kasan/common.c:48) |
| kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) |
| kasan_save_free_info (mm/kasan/generic.c:582) |
| __kasan_slab_free (mm/kasan/common.c:271) |
| kmem_cache_free (mm/slub.c:4579 mm/slub.c:4681) |
| cleanup_net (net/core/net_namespace.c:456 net/core/net_namespace.c:446 net/core/net_namespace.c:647) |
| process_one_work (kernel/workqueue.c:3229) |
| worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) |
| kthread (kernel/kthread.c:389) |
| ret_from_fork (arch/x86/kernel/process.c:147) |
| ret_from_fork_asm (arch/x86/entry/entry_64.S:257) |
| Dec 03 05:46:18 kernel: |
| Last potentially related work creation: |
| kasan_save_stack (mm/kasan/common.c:48) |
| __kasan_record_aux_stack (mm/kasan/generic.c:541) |
| insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186) |
| __queue_work (kernel/workqueue.c:2340) |
| queue_work_on (kernel/workqueue.c:2391) |
| xfrm_policy_insert (net/xfrm/xfrm_policy.c:1610) |
| xfrm_add_policy (net/xfrm/xfrm_user.c:2116) |
| xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321) |
| netlink_rcv_skb (net/netlink/af_netlink.c:2536) |
| xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344) |
| netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342) |
| netlink_sendmsg (net/netlink/af_netlink.c:1886) |
| sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165) |
| vfs_write (fs/read_write.c:590 fs/read_write.c:683) |
| ksys_write (fs/read_write.c:736) |
| do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) |
| entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) |
| Dec 03 05:46:18 kernel: |
| Second to last potentially related work creation: |
| kasan_save_stack (mm/kasan/common.c:48) |
| __kasan_record_aux_stack (mm/kasan/generic.c:541) |
| insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186) |
| __queue_work (kernel/workqueue.c:2340) |
| queue_work_on (kernel/workqueue.c:2391) |
| __xfrm_state_insert (./include/linux/workqueue.h:723 net/xfrm/xfrm_state.c:1150 net/xfrm/xfrm_state.c:1145 net/xfrm/xfrm_state.c:1513) |
| xfrm_state_update (./include/linux/spinlock.h:396 net/xfrm/xfrm_state.c:1940) |
| xfrm_add_sa (net/xfrm/xfrm_user.c:912) |
| xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321) |
| netlink_rcv_skb (net/netlink/af_netlink.c:2536) |
| xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344) |
| netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342) |
| netlink_sendmsg (net/netlink/af_netlink.c:1886) |
| sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165) |
| vfs_write (fs/read_write.c:590 fs/read_write.c:683) |
| ksys_write (fs/read_write.c:736) |
| do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) |
| entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) |
| |
| The Linux kernel CVE team has assigned CVE-2024-56658 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 4.4 with commit a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 and fixed in 5.10.237 with commit c261dcd61c9e88a8f1a66654354d32295a975230 |
| Issue introduced in 4.4 with commit a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 and fixed in 5.15.181 with commit dac465986a4a38cd2f13e934f562b6ca344e5720 |
| Issue introduced in 4.4 with commit a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 and fixed in 6.1.121 with commit 3267b254dc0a04dfa362a2be24573cfa6d2d78f5 |
| Issue introduced in 4.4 with commit a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 and fixed in 6.6.67 with commit b7a79e51297f7b82adb687086f5cb2da446f1e40 |
| Issue introduced in 4.4 with commit a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 and fixed in 6.12.6 with commit 6610c7f8a8d47fd1123eed55ba8c11c2444d8842 |
| Issue introduced in 4.4 with commit a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 and fixed in 6.13 with commit 0f6ede9fbc747e2553612271bce108f7517e7a45 |
| Issue introduced in 3.12.54 with commit 3e29fa5b742479f73400468314a1c6b9cf553ee4 |
| Issue introduced in 3.18.27 with commit ce43f6a650a6689551a217276fb0dcca33790425 |
| Issue introduced in 4.1.17 with commit eeca98948d8c4922e6deb16bfc9ee0bd9902dbb0 |
| Issue introduced in 4.3.5 with commit 1bd631fc9a4515878c1bb7effd19335d2f2d87c2 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-56658 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| include/net/net_namespace.h |
| net/core/net_namespace.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/c261dcd61c9e88a8f1a66654354d32295a975230 |
| https://git.kernel.org/stable/c/dac465986a4a38cd2f13e934f562b6ca344e5720 |
| https://git.kernel.org/stable/c/3267b254dc0a04dfa362a2be24573cfa6d2d78f5 |
| https://git.kernel.org/stable/c/b7a79e51297f7b82adb687086f5cb2da446f1e40 |
| https://git.kernel.org/stable/c/6610c7f8a8d47fd1123eed55ba8c11c2444d8842 |
| https://git.kernel.org/stable/c/0f6ede9fbc747e2553612271bce108f7517e7a45 |
