CVE-2024-44946
- ULN >
- Oracle Linux CVE repository >
- CVE-2024-44946
CVE Details
| Release Date: | 2024-08-31 |
Description
In the Linux kernel, the following vulnerability has been resolved:\nkcm: Serialise kcm_sendmsg() for the same socket.\nsyzkaller reported UAF in kcm_release(). [0]\nThe scenario is\n1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb.\n2. Thread A resumes building skb from kcm->seq_skb but is blocked\nby sk_stream_wait_memory()\n3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb\nand puts the skb to the write queue\n4. Thread A faces an error and finally frees skb that is already in the\nwrite queue\n5. kcm_release() does double-free the skb in the write queue\nWhen a thread is building a MSG_MORE skb, another thread must not touch it.\nLet's add a per-sk mutex and serialise kcm_sendmsg().\n[0]:\nBUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline]\nBUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline]\nBUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\nBUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline]\nBUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\nRead of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167\nCPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall trace:\ndump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291\nshow_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:377 [inline]\nprint_report+0x178/0x518 mm/kasan/report.c:488\nkasan_report+0xd8/0x138 mm/kasan/report.c:601\n__asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381\n__skb_unlink include/linux/skbuff.h:2366 [inline]\n__skb_dequeue include/linux/skbuff.h:2385 [inline]\n__skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\n__skb_queue_purge include/linux/skbuff.h:3181 [inline]\nkcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\n__sock_release net/socket.c:659 [inline]\nsock_close+0xa4/0x1e8 net/socket.c:1421\n__fput+0x30c/0x738 fs/file_table.c:376\n____fput+0x20/0x30 fs/file_table.c:404\ntask_work_run+0x230/0x2e0 kernel/task_work.c:180\nexit_task_work include/linux/task_work.h:38 [inline]\ndo_exit+0x618/0x1f64 kernel/exit.c:871\ndo_group_exit+0x194/0x22c kernel/exit.c:1020\nget_signal+0x1500/0x15ec kernel/signal.c:2893\ndo_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249\ndo_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148\nexit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]\nexit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]\nel0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713\nel0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\nAllocated by task 6166:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x40/0x78 mm/kasan/common.c:68\nkasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626\nunpoison_slab_object mm/kasan/common.c:314 [inline]\n__kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340\nkasan_slab_alloc include/linux/kasan.h:201 [inline]\nslab_post_alloc_hook mm/slub.c:3813 [inline]\nslab_alloc_node mm/slub.c:3860 [inline]\nkmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903\n__alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641\nalloc_skb include/linux/skbuff.h:1296 [inline]\nkcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\nsock_sendmsg+0x220/0x2c0 net/socket.c:768\nsplice_to_socket+0x7cc/0xd58 fs/splice.c:889\ndo_splice_from fs/splice.c:941 [inline]\ndirect_splice_actor+0xec/0x1d8 fs/splice.c:1164\nsplice_direct_to_actor+0x438/0xa0c fs/splice.c:1108\ndo_splice_direct_actor \n---truncated---
See more information about CVE-2024-44946 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v3 metrics
| Base Score: | 5.5 |
| Vector String: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Version: | 3.1 |
| Attack Vector: | Local |
| Attack Complexity: | Low |
| Privileges Required: | Low |
| User Interaction: | None |
| Scope: | Unchanged |
| Confidentiality: | None |
| Integrity: | None |
| Availability: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12813 | 2024-11-12 |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12868 | 2024-12-06 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12813 | 2024-11-12 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12815 | 2024-11-11 |
| Oracle Linux version 9 (kernel-uek) | ELSA-2024-12815 | 2024-11-11 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
