CVE-2024-50154

In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*

History

13 Nov 2024, 16:17

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.0
CWE CWE-416
First Time Linux linux Kernel
Linux
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/5071beb59ee416e8ab456ac8647a4dabcda823b1 - () https://git.kernel.org/stable/c/5071beb59ee416e8ab456ac8647a4dabcda823b1 - Patch
References () https://git.kernel.org/stable/c/51e34db64f4e43c7b055ccf881b7f3e0c31bb26d - () https://git.kernel.org/stable/c/51e34db64f4e43c7b055ccf881b7f3e0c31bb26d - Patch
References () https://git.kernel.org/stable/c/8459d61fbf24967839a70235165673148c7c7f17 - () https://git.kernel.org/stable/c/8459d61fbf24967839a70235165673148c7c7f17 - Patch
References () https://git.kernel.org/stable/c/997ae8da14f1639ce6fb66a063dab54031cd61b3 - () https://git.kernel.org/stable/c/997ae8da14f1639ce6fb66a063dab54031cd61b3 - Patch
References () https://git.kernel.org/stable/c/e8c526f2bdf1845bedaf6a478816a3d06fa78b8f - () https://git.kernel.org/stable/c/e8c526f2bdf1845bedaf6a478816a3d06fa78b8f - Patch

08 Nov 2024, 19:01

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp/dccp: No use timer_pending() en reqsk_queue_unlink(). Martin KaFai Lau informó de un use-after-free [0] en reqsk_timer_handler(). """ Estamos viendo un use-after-free de un programa bpf adjunto a trace_tcp_retransmit_synack. El programa pasa el req->sk al ayudante del kernel bpf_sk_storage_get_tracing que comprueba si hay valores nulos antes de usarlo. """ El commit 83fccfc3940c ("inet: soluciona un posible bloqueo en reqsk_queue_unlink()") agregó timer_pending() en reqsk_queue_unlink() para no llamar a del_timer_sync() desde reqsk_timer_handler(), pero introdujo una pequeña ventana de ejecución. Antes de que se llame al temporizador, expire_timers() llama a detach_timer(timer, true) para borrar timer->entry.pprev y lo marca como no pendiente. Si reqsk_queue_unlink() comprueba timer_pending() justo después de que expire_timers() llame a detach_timer(), TCP no detectará del_timer_sync(); el temporizador reqsk seguirá funcionando y enviará varios SYN+ACK hasta que expire. El UAF informado podría ocurrir si se cierra req->sk antes de la expiración del temporizador, que es 63 s por defecto. El escenario sería 1. inet_csk_complete_hashdance() llama a inet_csk_reqsk_queue_drop(), pero se omite del_timer_sync() 2. se ejecuta el temporizador reqsk y se programa nuevamente 3. se acepta req->sk y reqsk_put() decrementa rsk_refcnt, pero el temporizador reqsk aún tiene otro, e inet_csk_accept() no borra req->sk para sockets que no sean TFO 4. se cierra sk 5. se ejecuta nuevamente el temporizador reqsk y BPF toca req->sk No usemos timer_pending() pasando el contexto del llamador a __inet_csk_reqsk_queue_drop(). Tenga en cuenta que el temporizador reqsk está fijado, por lo que el problema no ocurre en la mayoría de los casos de uso. [1] [0] ERROR: KFENCE: lectura de use-after-free en bpf_sk_storage_get_tracing+0x2e/0x1b0 Lectura de use-after-free en 0x00000000a891fb3a (en kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, tamaño=2376, caché=TCPv6 asignado por la tarea 0 en la CPU 9 en 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb liberado por la tarea 0 en la CPU 9 a las 260507.927527 s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpu_idle_entrada_estado+0xfb/0x273 cpu_inicio_entrada+0x15e/0x260 inicio_secundario+0x8a/0x90 inicio_secundario_64_sin_verificación+0xfa/0xfb

07 Nov 2024, 10:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-07 10:15

Updated : 2024-12-11 15:15


NVD link : CVE-2024-50154

Mitre link : CVE-2024-50154

CVE.ORG link : CVE-2024-50154


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free