linux-cve-announce.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* CVE-2024-26923: af_unix: Fix garbage collector racing against connect()
@ 2024-04-24 21:49 Greg Kroah-Hartman
  0 siblings, 0 replies; only message in thread
From: Greg Kroah-Hartman @ 2024-04-24 21:49 UTC (permalink / raw)
  To: linux-cve-announce; +Cc: Greg Kroah-Hartman

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

af_unix: Fix garbage collector racing against connect()

Garbage collector does not take into account the risk of embryo getting
enqueued during the garbage collection. If such embryo has a peer that
carries SCM_RIGHTS, two consecutive passes of scan_children() may see a
different set of children. Leading to an incorrectly elevated inflight
count, and then a dangling pointer within the gc_inflight_list.

sockets are AF_UNIX/SOCK_STREAM
S is an unconnected socket
L is a listening in-flight socket bound to addr, not in fdtable
V's fd will be passed via sendmsg(), gets inflight count bumped

connect(S, addr)	sendmsg(S, [V]); close(V)	__unix_gc()
----------------	-------------------------	-----------

NS = unix_create1()
skb1 = sock_wmalloc(NS)
L = unix_find_other(addr)
unix_state_lock(L)
unix_peer(S) = NS
			// V count=1 inflight=0

 			NS = unix_peer(S)
 			skb2 = sock_alloc()
			skb_queue_tail(NS, skb2[V])

			// V became in-flight
			// V count=2 inflight=1

			close(V)

			// V count=1 inflight=1
			// GC candidate condition met

						for u in gc_inflight_list:
						  if (total_refs == inflight_refs)
						    add u to gc_candidates

						// gc_candidates={L, V}

						for u in gc_candidates:
						  scan_children(u, dec_inflight)

						// embryo (skb1) was not
						// reachable from L yet, so V's
						// inflight remains unchanged
__skb_queue_tail(L, skb1)
unix_state_unlock(L)
						for u in gc_candidates:
						  if (u.inflight)
						    scan_children(u, inc_inflight_move_tail)

						// V count=1 inflight=2 (!)

If there is a GC-candidate listening socket, lock/unlock its state. This
makes GC wait until the end of any ongoing connect() to that socket. After
flipping the lock, a possibly SCM-laden embryo is already enqueued. And if
there is another embryo coming, it can not possibly carry SCM_RIGHTS. At
this point, unix_inflight() can not happen because unix_gc_lock is already
taken. Inflight graph remains unaffected.

The Linux kernel CVE team has assigned CVE-2024-26923 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.23 with commit 1fd05ba5a2f2 and fixed in 5.15.156 with commit e76c2678228f
	Issue introduced in 2.6.23 with commit 1fd05ba5a2f2 and fixed in 6.1.87 with commit b75722be422c
	Issue introduced in 2.6.23 with commit 1fd05ba5a2f2 and fixed in 6.6.28 with commit 507cc232ffe5
	Issue introduced in 2.6.23 with commit 1fd05ba5a2f2 and fixed in 6.8.7 with commit dbdf7bec5c92
	Issue introduced in 2.6.23 with commit 1fd05ba5a2f2 and fixed in 6.9-rc4 with commit 47d8ac011fe1

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26923
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/unix/garbage.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51
	https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c
	https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9
	https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009
	https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2024-04-24 21:49 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-24 21:49 CVE-2024-26923: af_unix: Fix garbage collector racing against connect() Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).