In the Linux kernel, the following vulnerability has been resolved: mptcp:
fix double-free on socket dismantle when MPTCP server accepts an incoming
connection, it clones its listener socket. However, the pointer to
‘inet_opt’ for the new socket has the same value as the original one: as a
consequence, on program exit it’s possible to observe the following splat:
BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr
ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25
Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro
SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: <IRQ>
dump_stack_lvl+0x32/0x50 print_report+0xca/0x620
kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0
kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0
rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4
irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 </IRQ>
<TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP:
0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01
83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc
cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00
48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX:
0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX:
1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP:
0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10:
0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13:
0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80
cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60
start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b
</TASK> Allocated by task 6853: kasan_save_stack+0x1c/0x40
kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450
cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0
selinux_netlbl_socket_post_create+0x6c/0x110
selinux_socket_post_create+0x37b/0x7f0
security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450
__sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0
__x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160
entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858:
kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30
kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0
kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0
subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110
tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390
tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310
tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990
tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0
ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0
ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0
process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500
net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address
belongs to the object at ffff888485950880 which belongs to the cache
kmalloc-64 of size 64 The buggy address is located 0 bytes inside of
64-byte region [ffff888485950880, ffff8884859508c0) The buggy address
belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0
mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags:
0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type:
0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0
dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff
0000000000000000 page dumped because: kasan: bad access detected Memory
state around the buggy address: ffff888485950780: fa fb fb —truncated—
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | linux | < 5.15.0-112.122 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < 6.5.0-44.44 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1063.69 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1063.69~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < 6.5.0-1023.23~22.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < 5.15.0-1066.75 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-6.5 | < 6.5.0-1024.25~22.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-fde | < 5.15.0-1067.76.1 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-fde-5.15 | < 5.15.0-1065.74~20.04.1.1 | UNKNOWN |
git.kernel.org/stable/c/10048689def7e40a4405acda16fdc6477d4ecc5c
git.kernel.org/stable/c/4a4eeb6912538c2d0b158e8d11b62d96c1dada4e
git.kernel.org/stable/c/85933e80d077c9ae2227226beb86c22f464059cc
git.kernel.org/stable/c/ce0809ada38dca8d6d41bb57ab40494855c30582
git.kernel.org/stable/c/d93fd40c62397326046902a2c5cb75af50882a85
git.kernel.org/stable/c/f74362a004225df935863dea6eb7d82daaa5b16e
launchpad.net/bugs/cve/CVE-2024-26782
nvd.nist.gov/vuln/detail/CVE-2024-26782
security-tracker.debian.org/tracker/CVE-2024-26782
ubuntu.com/security/notices/USN-6820-1
ubuntu.com/security/notices/USN-6820-2
ubuntu.com/security/notices/USN-6821-1
ubuntu.com/security/notices/USN-6821-2
ubuntu.com/security/notices/USN-6821-3
ubuntu.com/security/notices/USN-6821-4
ubuntu.com/security/notices/USN-6828-1
ubuntu.com/security/notices/USN-6871-1
ubuntu.com/security/notices/USN-6892-1
ubuntu.com/security/notices/USN-6895-1
ubuntu.com/security/notices/USN-6895-2
ubuntu.com/security/notices/USN-6895-3
ubuntu.com/security/notices/USN-6900-1
ubuntu.com/security/notices/USN-6919-1
www.cve.org/CVERecord?id=CVE-2024-26782