Re: CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer().

Re: CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer().

[Siddh Raman Pant]

[-- Attachment #1: Type: text/plain, Size: 1213 bytes --]

The commit message has:
> tipc: Fix use-after-free of kernel socket in cleanup_bearer().
>
> syzkaller reported a use-after-free of UDP kernel socket
> in cleanup_bearer() without repro. [0][1]
>
> When bearer_disable() calls tipc_udp_disable(), cleanup
> of the UDP kernel socket is deferred by work calling
> cleanup_bearer().
>
> tipc_net_stop() waits for such works to finish by checking
> tipc_net(net)->wq_count.  However, the work decrements the
> count too early before releasing the kernel socket,
> unblocking cleanup_net() and resulting in use-after-free.

This is incorrect, the function which waits is tipc_exit_net, which has
the spinning while loop.

That function is an exit function so this can't be triggered without
privileges.

Could it be grounds for rejection? Probably not but I thought I should
ask.

> Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")

The fixes tag is incorrect. It should be the commit which adds the
counter, which is:

04c26faa51d1 ("tipc: wait and exit until all work queues are done")

Maybe this needs to be corrected in the JSONs (as the commits are set
in stone).

Thanks,
Siddh

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer().

[Greg KH]

On Tue, Feb 18, 2025 at 01:04:05PM +0000, Siddh Raman Pant wrote:
> The commit message has:
> > tipc: Fix use-after-free of kernel socket in cleanup_bearer().
> >
> > syzkaller reported a use-after-free of UDP kernel socket
> > in cleanup_bearer() without repro. [0][1]
> >
> > When bearer_disable() calls tipc_udp_disable(), cleanup
> > of the UDP kernel socket is deferred by work calling
> > cleanup_bearer().
> >
> > tipc_net_stop() waits for such works to finish by checking
> > tipc_net(net)->wq_count.  However, the work decrements the
> > count too early before releasing the kernel socket,
> > unblocking cleanup_net() and resulting in use-after-free.
> 
> This is incorrect, the function which waits is tipc_exit_net, which has
> the spinning while loop.
> 
> That function is an exit function so this can't be triggered without
> privileges.
> 
> Could it be grounds for rejection? Probably not but I thought I should
> ask.

If you think the text is incorrect, please send us a patch for the text
and we can apply it to the cve data.

> > Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")
> 
> The fixes tag is incorrect. It should be the commit which adds the
> counter, which is:
> 
> 04c26faa51d1 ("tipc: wait and exit until all work queues are done")
> 
> Maybe this needs to be corrected in the JSONs (as the commits are set
> in stone).

Again, if the Fixes: tag is incorrect, please send us the correct
information as a .vulnerable file as our vulns.git cve documentation
shows and we will be glad to regenerate the entry.

thanks,

greg k-h

[PATCH] CVE-2024-56642: Fix wrong fixes tag and function name in commit message.

[Siddh Raman Pant]

Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
---
 cve/published/2024/CVE-2024-56642.diff       | 11 +++++++++++
 cve/published/2024/CVE-2024-56642.vulnerable |  1 +
 2 files changed, 12 insertions(+)
 create mode 100644 cve/published/2024/CVE-2024-56642.diff
 create mode 100644 cve/published/2024/CVE-2024-56642.vulnerable

diff --git a/cve/published/2024/CVE-2024-56642.diff b/cve/published/2024/CVE-2024-56642.diff
new file mode 100644
index 000000000000..b31d3694986c
--- /dev/null
+++ b/cve/published/2024/CVE-2024-56642.diff
@@ -0,0 +1,11 @@
+--- a/CVE-2024-56642.mbox
++++ b/CVE-2024-56642.mbox
+@@ -18,7 +18,7 @@ When bearer_disable() calls tipc_udp_disable(), cleanup
+ of the UDP kernel socket is deferred by work calling
+ cleanup_bearer().
+ 
+-tipc_net_stop() waits for such works to finish by checking
++tipc_exit_net() waits for such works to finish by checking
+ tipc_net(net)->wq_count.  However, the work decrements the
+ count too early before releasing the kernel socket,
+ unblocking cleanup_net() and resulting in use-after-free.
diff --git a/cve/published/2024/CVE-2024-56642.vulnerable b/cve/published/2024/CVE-2024-56642.vulnerable
new file mode 100644
index 000000000000..75eac70bd13b
--- /dev/null
+++ b/cve/published/2024/CVE-2024-56642.vulnerable
@@ -0,0 +1 @@
+04c26faa51d1e2fe71cf13c45791f5174c37f986
-- 
2.47.2

Re: [PATCH] CVE-2024-56642: Fix wrong fixes tag and function name in commit message.

[Greg KH]

On Tue, Feb 18, 2025 at 07:23:44PM +0530, Siddh Raman Pant wrote:
> Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>

Please provide some text here that descibes what is happening.  We can't
just take commits with no information at all, and neither would you want
us to :)

Also, can you break this up into two commits?  The changelog text I'm
going to have to convert into a diff in a different way.

thanks,

greg k-h

[PATCH 1/2] CVE-2024-56642: Fix wrong fixes tag.

[Siddh Raman Pant]

The fixes tag in the commit message is incorrect. It should be the
commit which adds the counter, which is:

04c26faa51d1 ("tipc: wait and exit until all work queues are done")

Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
---
 cve/published/2024/CVE-2024-56642.vulnerable | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 cve/published/2024/CVE-2024-56642.vulnerable

diff --git a/cve/published/2024/CVE-2024-56642.vulnerable b/cve/published/2024/CVE-2024-56642.vulnerable
new file mode 100644
index 000000000000..75eac70bd13b
--- /dev/null
+++ b/cve/published/2024/CVE-2024-56642.vulnerable
@@ -0,0 +1 @@
+04c26faa51d1e2fe71cf13c45791f5174c37f986
-- 
2.47.2

[PATCH 2/2] CVE-2024-56642: Fix mention of wrong function.

[Siddh Raman Pant]

The function which waits is tipc_exit_net(), which has the spinning
while loop at the end.

Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
---
 cve/published/2024/CVE-2024-56642.diff | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 cve/published/2024/CVE-2024-56642.diff

diff --git a/cve/published/2024/CVE-2024-56642.diff b/cve/published/2024/CVE-2024-56642.diff
new file mode 100644
index 000000000000..b31d3694986c
--- /dev/null
+++ b/cve/published/2024/CVE-2024-56642.diff
@@ -0,0 +1,11 @@
+--- a/CVE-2024-56642.mbox
++++ b/CVE-2024-56642.mbox
+@@ -18,7 +18,7 @@ When bearer_disable() calls tipc_udp_disable(), cleanup
+ of the UDP kernel socket is deferred by work calling
+ cleanup_bearer().
+ 
+-tipc_net_stop() waits for such works to finish by checking
++tipc_exit_net() waits for such works to finish by checking
+ tipc_net(net)->wq_count.  However, the work decrements the
+ count too early before releasing the kernel socket,
+ unblocking cleanup_net() and resulting in use-after-free.
-- 
2.47.2

Re: [PATCH 1/2] CVE-2024-56642: Fix wrong fixes tag.

[Greg KH]

On Tue, Feb 18, 2025 at 08:07:31PM +0530, Siddh Raman Pant wrote:
> The fixes tag in the commit message is incorrect. It should be the
> commit which adds the counter, which is:
> 
> 04c26faa51d1 ("tipc: wait and exit until all work queues are done")
> 
> Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
> ---
>  cve/published/2024/CVE-2024-56642.vulnerable | 1 +
>  1 file changed, 1 insertion(+)
>  create mode 100644 cve/published/2024/CVE-2024-56642.vulnerable
> 
> diff --git a/cve/published/2024/CVE-2024-56642.vulnerable b/cve/published/2024/CVE-2024-56642.vulnerable
> new file mode 100644
> index 000000000000..75eac70bd13b
> --- /dev/null
> +++ b/cve/published/2024/CVE-2024-56642.vulnerable
> @@ -0,0 +1 @@
> +04c26faa51d1e2fe71cf13c45791f5174c37f986
> -- 
> 2.47.2
> 

Many thanks, both now applied and the cve record has been regenerated.

greg k-h