CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer().

CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer().

[Greg Kroah-Hartman]

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

tipc: Fix use-after-free of kernel socket in cleanup_bearer().

syzkaller reported a use-after-free of UDP kernel socket
in cleanup_bearer() without repro. [0][1]

When bearer_disable() calls tipc_udp_disable(), cleanup
of the UDP kernel socket is deferred by work calling
cleanup_bearer().

tipc_net_stop() waits for such works to finish by checking
tipc_net(net)->wq_count.  However, the work decrements the
count too early before releasing the kernel socket,
unblocking cleanup_net() and resulting in use-after-free.

Let's move the decrement after releasing the socket in
cleanup_bearer().

[0]:
ref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at
     sk_alloc+0x438/0x608
     inet_create+0x4c8/0xcb0
     __sock_create+0x350/0x6b8
     sock_create_kern+0x58/0x78
     udp_sock_create4+0x68/0x398
     udp_sock_create+0x88/0xc8
     tipc_udp_enable+0x5e8/0x848
     __tipc_nl_bearer_enable+0x84c/0xed8
     tipc_nl_bearer_enable+0x38/0x60
     genl_family_rcv_msg_doit+0x170/0x248
     genl_rcv_msg+0x400/0x5b0
     netlink_rcv_skb+0x1dc/0x398
     genl_rcv+0x44/0x68
     netlink_unicast+0x678/0x8b0
     netlink_sendmsg+0x5e4/0x898
     ____sys_sendmsg+0x500/0x830

[1]:
BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline]
BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979
 udp_hashslot include/net/udp.h:85 [inline]
 udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979
 sk_common_release+0xaf/0x3f0 net/core/sock.c:3820
 inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437
 inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489
 __sock_release net/socket.c:658 [inline]
 sock_release+0xa0/0x210 net/socket.c:686
 cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310
 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391
 kthread+0x531/0x6b0 kernel/kthread.c:389
 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244

Uninit was created at:
 slab_free_hook mm/slub.c:2269 [inline]
 slab_free mm/slub.c:4580 [inline]
 kmem_cache_free+0x207/0xc40 mm/slub.c:4682
 net_free net/core/net_namespace.c:454 [inline]
 cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310
 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391
 kthread+0x531/0x6b0 kernel/kthread.c:389
 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244

CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: events cleanup_bearer

The Linux kernel CVE team has assigned CVE-2024-56642 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 5.4.287 with commit 4e69457f9dfae67435f3ccf29008768eae860415
	Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 5.10.231 with commit 650ee9a22d7a2de8999fac2d45983597a0c22359
	Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 5.15.174 with commit d2a4894f238551eae178904e7f45af87577074fd
	Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 6.1.120 with commit d62d5180c036eeac09f80660edc7a602b369125f
	Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 6.6.66 with commit d00d4470bf8c4282617a3a10e76b20a9c7e4cffa
	Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 6.12.5 with commit e48b211c4c59062cb6dd6c2c37c51a7cc235a464
	Issue introduced in 4.2 with commit 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and fixed in 6.13-rc2 with commit 6a2fa13312e51a621f652d522d7e2df7066330b6

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56642
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/tipc/udp_media.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/4e69457f9dfae67435f3ccf29008768eae860415
	https://git.kernel.org/stable/c/650ee9a22d7a2de8999fac2d45983597a0c22359
	https://git.kernel.org/stable/c/d2a4894f238551eae178904e7f45af87577074fd
	https://git.kernel.org/stable/c/d62d5180c036eeac09f80660edc7a602b369125f
	https://git.kernel.org/stable/c/d00d4470bf8c4282617a3a10e76b20a9c7e4cffa
	https://git.kernel.org/stable/c/e48b211c4c59062cb6dd6c2c37c51a7cc235a464
	https://git.kernel.org/stable/c/6a2fa13312e51a621f652d522d7e2df7066330b6

Re: CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer().

[Siddh Raman Pant]

[-- Attachment #1: Type: text/plain, Size: 1213 bytes --]

The commit message has:
> tipc: Fix use-after-free of kernel socket in cleanup_bearer().
>
> syzkaller reported a use-after-free of UDP kernel socket
> in cleanup_bearer() without repro. [0][1]
>
> When bearer_disable() calls tipc_udp_disable(), cleanup
> of the UDP kernel socket is deferred by work calling
> cleanup_bearer().
>
> tipc_net_stop() waits for such works to finish by checking
> tipc_net(net)->wq_count.  However, the work decrements the
> count too early before releasing the kernel socket,
> unblocking cleanup_net() and resulting in use-after-free.

This is incorrect, the function which waits is tipc_exit_net, which has
the spinning while loop.

That function is an exit function so this can't be triggered without
privileges.

Could it be grounds for rejection? Probably not but I thought I should
ask.

> Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")

The fixes tag is incorrect. It should be the commit which adds the
counter, which is:

04c26faa51d1 ("tipc: wait and exit until all work queues are done")

Maybe this needs to be corrected in the JSONs (as the commits are set
in stone).

Thanks,
Siddh

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer().

[Greg KH]

On Tue, Feb 18, 2025 at 01:04:05PM +0000, Siddh Raman Pant wrote:
> The commit message has:
> > tipc: Fix use-after-free of kernel socket in cleanup_bearer().
> >
> > syzkaller reported a use-after-free of UDP kernel socket
> > in cleanup_bearer() without repro. [0][1]
> >
> > When bearer_disable() calls tipc_udp_disable(), cleanup
> > of the UDP kernel socket is deferred by work calling
> > cleanup_bearer().
> >
> > tipc_net_stop() waits for such works to finish by checking
> > tipc_net(net)->wq_count.  However, the work decrements the
> > count too early before releasing the kernel socket,
> > unblocking cleanup_net() and resulting in use-after-free.
> 
> This is incorrect, the function which waits is tipc_exit_net, which has
> the spinning while loop.
> 
> That function is an exit function so this can't be triggered without
> privileges.
> 
> Could it be grounds for rejection? Probably not but I thought I should
> ask.

If you think the text is incorrect, please send us a patch for the text
and we can apply it to the cve data.

> > Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")
> 
> The fixes tag is incorrect. It should be the commit which adds the
> counter, which is:
> 
> 04c26faa51d1 ("tipc: wait and exit until all work queues are done")
> 
> Maybe this needs to be corrected in the JSONs (as the commits are set
> in stone).

Again, if the Fixes: tag is incorrect, please send us the correct
information as a .vulnerable file as our vulns.git cve documentation
shows and we will be glad to regenerate the entry.

thanks,

greg k-h

[PATCH] CVE-2024-56642: Fix wrong fixes tag and function name in commit message.

[Siddh Raman Pant]

Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
---
 cve/published/2024/CVE-2024-56642.diff       | 11 +++++++++++
 cve/published/2024/CVE-2024-56642.vulnerable |  1 +
 2 files changed, 12 insertions(+)
 create mode 100644 cve/published/2024/CVE-2024-56642.diff
 create mode 100644 cve/published/2024/CVE-2024-56642.vulnerable

diff --git a/cve/published/2024/CVE-2024-56642.diff b/cve/published/2024/CVE-2024-56642.diff
new file mode 100644
index 000000000000..b31d3694986c
--- /dev/null
+++ b/cve/published/2024/CVE-2024-56642.diff
@@ -0,0 +1,11 @@
+--- a/CVE-2024-56642.mbox
++++ b/CVE-2024-56642.mbox
+@@ -18,7 +18,7 @@ When bearer_disable() calls tipc_udp_disable(), cleanup
+ of the UDP kernel socket is deferred by work calling
+ cleanup_bearer().
+ 
+-tipc_net_stop() waits for such works to finish by checking
++tipc_exit_net() waits for such works to finish by checking
+ tipc_net(net)->wq_count.  However, the work decrements the
+ count too early before releasing the kernel socket,
+ unblocking cleanup_net() and resulting in use-after-free.
diff --git a/cve/published/2024/CVE-2024-56642.vulnerable b/cve/published/2024/CVE-2024-56642.vulnerable
new file mode 100644
index 000000000000..75eac70bd13b
--- /dev/null
+++ b/cve/published/2024/CVE-2024-56642.vulnerable
@@ -0,0 +1 @@
+04c26faa51d1e2fe71cf13c45791f5174c37f986
-- 
2.47.2

Re: [PATCH] CVE-2024-56642: Fix wrong fixes tag and function name in commit message.

[Greg KH]

On Tue, Feb 18, 2025 at 07:23:44PM +0530, Siddh Raman Pant wrote:
> Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>

Please provide some text here that descibes what is happening.  We can't
just take commits with no information at all, and neither would you want
us to :)

Also, can you break this up into two commits?  The changelog text I'm
going to have to convert into a diff in a different way.

thanks,

greg k-h

[PATCH 1/2] CVE-2024-56642: Fix wrong fixes tag.

[Siddh Raman Pant]

The fixes tag in the commit message is incorrect. It should be the
commit which adds the counter, which is:

04c26faa51d1 ("tipc: wait and exit until all work queues are done")

Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
---
 cve/published/2024/CVE-2024-56642.vulnerable | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 cve/published/2024/CVE-2024-56642.vulnerable

diff --git a/cve/published/2024/CVE-2024-56642.vulnerable b/cve/published/2024/CVE-2024-56642.vulnerable
new file mode 100644
index 000000000000..75eac70bd13b
--- /dev/null
+++ b/cve/published/2024/CVE-2024-56642.vulnerable
@@ -0,0 +1 @@
+04c26faa51d1e2fe71cf13c45791f5174c37f986
-- 
2.47.2

Re: [PATCH 1/2] CVE-2024-56642: Fix wrong fixes tag.

[Greg KH]

On Tue, Feb 18, 2025 at 08:07:31PM +0530, Siddh Raman Pant wrote:
> The fixes tag in the commit message is incorrect. It should be the
> commit which adds the counter, which is:
> 
> 04c26faa51d1 ("tipc: wait and exit until all work queues are done")
> 
> Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
> ---
>  cve/published/2024/CVE-2024-56642.vulnerable | 1 +
>  1 file changed, 1 insertion(+)
>  create mode 100644 cve/published/2024/CVE-2024-56642.vulnerable
> 
> diff --git a/cve/published/2024/CVE-2024-56642.vulnerable b/cve/published/2024/CVE-2024-56642.vulnerable
> new file mode 100644
> index 000000000000..75eac70bd13b
> --- /dev/null
> +++ b/cve/published/2024/CVE-2024-56642.vulnerable
> @@ -0,0 +1 @@
> +04c26faa51d1e2fe71cf13c45791f5174c37f986
> -- 
> 2.47.2
> 

Many thanks, both now applied and the cve record has been regenerated.

greg k-h

[PATCH 2/2] CVE-2024-56642: Fix mention of wrong function.

[Siddh Raman Pant]

The function which waits is tipc_exit_net(), which has the spinning
while loop at the end.

Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
---
 cve/published/2024/CVE-2024-56642.diff | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 cve/published/2024/CVE-2024-56642.diff

diff --git a/cve/published/2024/CVE-2024-56642.diff b/cve/published/2024/CVE-2024-56642.diff
new file mode 100644
index 000000000000..b31d3694986c
--- /dev/null
+++ b/cve/published/2024/CVE-2024-56642.diff
@@ -0,0 +1,11 @@
+--- a/CVE-2024-56642.mbox
++++ b/CVE-2024-56642.mbox
+@@ -18,7 +18,7 @@ When bearer_disable() calls tipc_udp_disable(), cleanup
+ of the UDP kernel socket is deferred by work calling
+ cleanup_bearer().
+ 
+-tipc_net_stop() waits for such works to finish by checking
++tipc_exit_net() waits for such works to finish by checking
+ tipc_net(net)->wq_count.  However, the work decrements the
+ count too early before releasing the kernel socket,
+ unblocking cleanup_net() and resulting in use-after-free.
-- 
2.47.2