CVE-2024-44946

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kcm: Serialise kcm_sendmsg() for the same socket.<br /> <br /> syzkaller reported UAF in kcm_release(). [0]<br /> <br /> The scenario is<br /> <br /> 1. Thread A builds a skb with MSG_MORE and sets kcm-&gt;seq_skb.<br /> <br /> 2. Thread A resumes building skb from kcm-&gt;seq_skb but is blocked<br /> by sk_stream_wait_memory()<br /> <br /> 3. Thread B calls sendmsg() concurrently, finishes building kcm-&gt;seq_skb<br /> and puts the skb to the write queue<br /> <br /> 4. Thread A faces an error and finally frees skb that is already in the<br /> write queue<br /> <br /> 5. kcm_release() does double-free the skb in the write queue<br /> <br /> When a thread is building a MSG_MORE skb, another thread must not touch it.<br /> <br /> Let&amp;#39;s add a per-sk mutex and serialise kcm_sendmsg().<br /> <br /> [0]:<br /> BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline]<br /> BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline]<br /> BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]<br /> BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline]<br /> BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691<br /> Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167<br /> <br /> CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024<br /> Call trace:<br /> dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291<br /> show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298<br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0x178/0x518 mm/kasan/report.c:488<br /> kasan_report+0xd8/0x138 mm/kasan/report.c:601<br /> __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381<br /> __skb_unlink include/linux/skbuff.h:2366 [inline]<br /> __skb_dequeue include/linux/skbuff.h:2385 [inline]<br /> __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]<br /> __skb_queue_purge include/linux/skbuff.h:3181 [inline]<br /> kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691<br /> __sock_release net/socket.c:659 [inline]<br /> sock_close+0xa4/0x1e8 net/socket.c:1421<br /> __fput+0x30c/0x738 fs/file_table.c:376<br /> ____fput+0x20/0x30 fs/file_table.c:404<br /> task_work_run+0x230/0x2e0 kernel/task_work.c:180<br /> exit_task_work include/linux/task_work.h:38 [inline]<br /> do_exit+0x618/0x1f64 kernel/exit.c:871<br /> do_group_exit+0x194/0x22c kernel/exit.c:1020<br /> get_signal+0x1500/0x15ec kernel/signal.c:2893<br /> do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249<br /> do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148<br /> exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]<br /> exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]<br /> el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713<br /> el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730<br /> el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598<br /> <br /> Allocated by task 6166:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x40/0x78 mm/kasan/common.c:68<br /> kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626<br /> unpoison_slab_object mm/kasan/common.c:314 [inline]<br /> __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340<br /> kasan_slab_alloc include/linux/kasan.h:201 [inline]<br /> slab_post_alloc_hook mm/slub.c:3813 [inline]<br /> slab_alloc_node mm/slub.c:3860 [inline]<br /> kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903<br /> __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641<br /> alloc_skb include/linux/skbuff.h:1296 [inline]<br /> kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg net/socket.c:745 [inline]<br /> sock_sendmsg+0x220/0x2c0 net/socket.c:768<br /> splice_to_socket+0x7cc/0xd58 fs/splice.c:889<br /> do_splice_from fs/splice.c:941 [inline]<br /> direct_splice_actor+0xec/0x1d8 fs/splice.c:1164<br /> splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108<br /> do_splice_direct_actor <br /> ---truncated---