From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5467D135A67 for ; Mon, 10 Jun 2024 14:57:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718031478; cv=none; b=QHRqbaes7oE+vL1SKNNDu8vUNvgr5fTP2VBbBi+HWESjRWiU0+YF0Cn8t/iAFm+oIect5RpTRdfYB/1so96n2/wj7bzUQkVloN4EBFMVrckd5ug/+SgEukC+TMS0ZAzMdcqO/Jnd0n96Md0zkPZQdYeBdqGY67t2pbAWAIFkBaQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718031478; c=relaxed/simple; bh=mrQgSn1b4N7X5bLtx5Tl9pwJLb1ZmF3Q0qDL7lQm5+Q=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=EyMhIeEV+Ja5Ljll/cq2IQRh+ykZxiJsF04vf/0TGraXqZMV6A36qNBA2HsR0jGYSr6rWOpr+a8GuzJtLWeeqKixL0wtVUMPGksfIwcyMPUUhLwyYjNkl2s6OX6uwG3BbHiNtrKxdf+MG0IwfSC2c7BH9SfcWD6qICIOz8fxjsw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Tkoi9S6B; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Tkoi9S6B" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 39456C2BBFC; Mon, 10 Jun 2024 14:57:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1718031477; bh=mrQgSn1b4N7X5bLtx5Tl9pwJLb1ZmF3Q0qDL7lQm5+Q=; h=From:To:Cc:Subject:Date:Reply-to:From; b=Tkoi9S6BhPetMm+st/HQKbCYYqL+i4v5uAsOCVbuEHRSS8L7ka/CjXn0pkGht2z4U 4tFdX7XUiYzHWMKBji2nJfxF4GPBVtX9myT/B0sKV7x6w9M5ONm3rjBmFSivRPItmc TRVkuZvj43FtXgL2tIwIPS5U3IwmwQx4+CZMbxcz0FmNIBrkJMrGQSKFQNA0mSnzo3 MYY8wcejut58Hjbk4bio0C5LZjYzWDhPb6nlU0BFSPF9y8a4ihTa1PQt8oRoCB/3gt Y2P+WpP3cJXLy5RKp6u82wT1wTegMMQHZoTHnhbMuV4a+WTLagNj6OxTfV19zYb6Ln kNZqpCVRysqpA== From: Lee Jones To: linux-cve-announce@vger.kernel.org Cc: Lee Jones Subject: CVE-2024-36972: af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock. Date: Mon, 10 Jun 2024 15:57:49 +0100 Message-ID: <20240610145748.1497527-2-lee@kernel.org> X-Mailer: git-send-email 2.45.2.505.gda0bf45e8d-goog Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=4301; i=lee@kernel.org; h=from:subject; bh=mrQgSn1b4N7X5bLtx5Tl9pwJLb1ZmF3Q0qDL7lQm5+Q=; b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBmZxRt503EKSRHCBk+kR3tIwxzva0qkoSMogkfQ CCr+ImdahaJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZmcUbQAKCRBRr4ovh/x3 YW4uD/9cQxdjDD1GUPkHAO0teZRPoTDgUshIc7fCWLo1zBrKsZQ913o4dHGzeMDhcFhJuZ1v2D4 klaxMHDgxL8N7xHoCuFgr8XUETVJRSienk3mskIRhd0Wxex6OjLYqmir9IW9x2yI7qIrSTiY9p4 YW2JciJbJWTDgKWMLyuWF2NlIsXsa2VyNk8WSncVmaEgwGFQHKmbLUFtUhIHvBMhBkuxrxrWYez 9wZ6jap4kLyA7uUqZ7dPc7pwnWrmMBMY/0CaG4epbEQUU+nxkz/Q2XroDt0N1m9TsH/2xwY1TFl eGhz2CavYght76tyEd4sdrrucVLjNASaUIpVGUBNg3Atshk/EnaZF96rT+vAR8DJ5R41k6vP8YX owZonbSUr8P7YHRD5BRTw9MHBcN0ub4O/NUd6Po4KokArOddhHlDzae8jg+DtqzQU432an1Fe7x PBAn46Nf13kjH/YdSPvCTSJf0pkGtFdL5jJ0EOOcqScoTiamBasjBbZq33cTrF+djU3bh2pZVXf fV9MwXhH/v4nttH5W5TpAA8KHTY98R6pt24cjnyJ63rbgDWuPO+oNf/QAdz/yiLm9u7XLdp5fwl hG+V1vI+mHcKJdMTzjPZ3OnTvOl4LUTnFdvjK0O3kKLYUJpbG+A6OCFw5lMhE+GGcQ4LpmxndIf gPQY4sOLi9oy1nA== X-Developer-Key: i=lee@kernel.org; a=openpgp; fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock. Billy Jheng Bing-Jhong reported a race between __unix_gc() and queue_oob(). __unix_gc() tries to garbage-collect close()d inflight sockets, and then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC will drop the reference and set NULL to it locklessly. However, the peer socket still can send MSG_OOB message and queue_oob() can update unix_sk(sk)->oob_skb concurrently, leading NULL pointer dereference. [0] To fix the issue, let's update unix_sk(sk)->oob_skb under the sk_receive_queue's lock and take it everywhere we touch oob_skb. Note that we defer kfree_skb() in manage_oob() to silence lockdep false-positive (See [1]). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page PGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events delayed_fput RIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847) Code: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc RSP: 0018:ffffc900001bfd48 EFLAGS: 00000002 RAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9 RDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00 RBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001 R10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00 R13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80 FS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: unix_release_sock (net/unix/af_unix.c:654) unix_release (net/unix/af_unix.c:1050) __sock_release (net/socket.c:660) sock_close (net/socket.c:1423) __fput (fs/file_table.c:423) delayed_fput (fs/file_table.c:444 (discriminator 3)) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) kthread (kernel/kthread.c:388) ret_from_fork (arch/x86/kernel/process.c:153) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) Modules linked in: CR2: 0000000000000008 The Linux kernel CVE team has assigned CVE-2024-36972 to this issue. Affected and fixed versions =========================== Issue introduced in 6.8 with commit 1279f9d9dec2 and fixed in 6.10-rc1 with commit 9841991a446c Issue introduced in 5.15.149 with commit 4fe505c63aa3 Issue introduced in 6.1.78 with commit e0e09186d882 Issue introduced in 6.6.17 with commit b74aa9ce13d0 Issue introduced in 6.7.5 with commit 82ae47c5c3a6 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-36972 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/unix/af_unix.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/9841991a446c87f90f66f4b9fee6fe934c1336a2