Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2024 / CVE-2024-57903.mbox
blob: b0779513469fcebc7725becff3486a9490a5cfc8 [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-57903: net: restrict SO_REUSEPORT to inet sockets
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
net: restrict SO_REUSEPORT to inet sockets
After blamed commit, crypto sockets could accidentally be destroyed
from RCU call back, as spotted by zyzbot [1].
Trying to acquire a mutex in RCU callback is not allowed.
Restrict SO_REUSEPORT socket option to inet sockets.
v1 of this patch supported TCP, UDP and SCTP sockets,
but fcnal-test.sh test needed RAW and ICMP support.
[1]
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:562
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 24, name: ksoftirqd/1
preempt_count: 100, expected: 0
RCU nest depth: 0, expected: 0
1 lock held by ksoftirqd/1/24:
#0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2561 [inline]
#0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_core+0xa37/0x17a0 kernel/rcu/tree.c:2823
Preemption disabled at:
[<ffffffff8161c8c8>] softirq_handle_begin kernel/softirq.c:402 [inline]
[<ffffffff8161c8c8>] handle_softirqs+0x128/0x9b0 kernel/softirq.c:537
CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3-syzkaller-00174-ga024e377efed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
__might_resched+0x5d4/0x780 kernel/sched/core.c:8758
__mutex_lock_common kernel/locking/mutex.c:562 [inline]
__mutex_lock+0x131/0xee0 kernel/locking/mutex.c:735
crypto_put_default_null_skcipher+0x18/0x70 crypto/crypto_null.c:179
aead_release+0x3d/0x50 crypto/algif_aead.c:489
alg_do_release crypto/af_alg.c:118 [inline]
alg_sock_destruct+0x86/0xc0 crypto/af_alg.c:502
__sk_destruct+0x58/0x5f0 net/core/sock.c:2260
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823
handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
run_ksoftirqd+0xca/0x130 kernel/softirq.c:950
smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
The Linux kernel CVE team has assigned CVE-2024-57903 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.4 with commit 8c7138b33e5c690c308b2a7085f6313fdcb3f616 and fixed in 5.15.176 with commit 579cfa595af1e00ccc9c3a849a4add6bba8b4bad
Issue introduced in 5.4 with commit 8c7138b33e5c690c308b2a7085f6313fdcb3f616 and fixed in 6.1.124 with commit ad2ad4cd11af9d63187cd074314b71b7cf8a2a59
Issue introduced in 5.4 with commit 8c7138b33e5c690c308b2a7085f6313fdcb3f616 and fixed in 6.6.70 with commit ad91a2dacbf8c26a446658cdd55e8324dfeff1e7
Issue introduced in 5.4 with commit 8c7138b33e5c690c308b2a7085f6313fdcb3f616 and fixed in 6.12.9 with commit 3257813a3ae7462ac5cde04e120806f0c0776850
Issue introduced in 5.4 with commit 8c7138b33e5c690c308b2a7085f6313fdcb3f616 and fixed in 6.13 with commit 5b0af621c3f6ef9261cf6067812f2fd9943acb4b
Issue introduced in 4.9.196 with commit 62241d6d9e497ad16372b74d2afa3340128e8e57
Issue introduced in 4.14.148 with commit 1e24f532c736b3f99f3fe7c4be66414c40df5f02
Issue introduced in 4.19.78 with commit d5b1db1c7ce4198bbbd51160350bdd446c8ed2ba
Issue introduced in 5.2.20 with commit 50b26ba8938f1741523ca733aa9a548a12b6edd6
Issue introduced in 5.3.5 with commit 7e2777fd4816cdf6bff5de9e5221514f36dddfbf
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-57903
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/core/sock.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/579cfa595af1e00ccc9c3a849a4add6bba8b4bad
https://git.kernel.org/stable/c/ad2ad4cd11af9d63187cd074314b71b7cf8a2a59
https://git.kernel.org/stable/c/ad91a2dacbf8c26a446658cdd55e8324dfeff1e7
https://git.kernel.org/stable/c/3257813a3ae7462ac5cde04e120806f0c0776850
https://git.kernel.org/stable/c/5b0af621c3f6ef9261cf6067812f2fd9943acb4b