CVE-2024-50154

CVE Details

Release Date:

2024-11-07

Description

In the Linux kernel, the following vulnerability has been resolved:\ntcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().\nMartin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().\n'''\nWe are seeing a use-after-free from a bpf prog attached to\ntrace_tcp_retransmit_synack. The program passes the req->sk to the\nbpf_sk_storage_get_tracing kernel helper which does check for null\nbefore using it.\n'''\nThe commit 83fccfc3940c ('inet: fix potential deadlock in\nreqsk_queue_unlink()') added timer_pending() in reqsk_queue_unlink() not\nto call del_timer_sync() from reqsk_timer_handler(), but it introduced a\nsmall race window.\nBefore the timer is called, expire_timers() calls detach_timer(timer, true)\nto clear timer->entry.pprev and marks it as not pending.\nIf reqsk_queue_unlink() checks timer_pending() just after expire_timers()\ncalls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will\ncontinue running and send multiple SYN+ACKs until it expires.\nThe reported UAF could happen if req->sk is close()d earlier than the timer\nexpiration, which is 63s by default.\nThe scenario would be\n1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),\nbut del_timer_sync() is missed\n2. reqsk timer is executed and scheduled again\n3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but\nreqsk timer still has another one, and inet_csk_accept() does not\nclear req->sk for non-TFO sockets\n4. sk is close()d\n5. reqsk timer is executed again, and BPF touches req->sk\nLet's not use timer_pending() by passing the caller context to\n__inet_csk_reqsk_queue_drop().\nNote that reqsk timer is pinned, so the issue does not happen in most\nuse cases. [1]\n[0]\nBUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0\nUse-after-free read at 0x00000000a891fb3a (in kfence-#1):\nbpf_sk_storage_get_tracing+0x2e/0x1b0\nbpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda\nbpf_trace_run2+0x4c/0xc0\ntcp_rtx_synack+0xf9/0x100\nreqsk_timer_handler+0xda/0x3d0\nrun_timer_softirq+0x292/0x8a0\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\nintel_idle_irq+0x5a/0xa0\ncpuidle_enter_state+0x94/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\nkfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6\nallocated by task 0 on cpu 9 at 260507.901592s:\nsk_prot_alloc+0x35/0x140\nsk_clone_lock+0x1f/0x3f0\ninet_csk_clone_lock+0x15/0x160\ntcp_create_openreq_child+0x1f/0x410\ntcp_v6_syn_recv_sock+0x1da/0x700\ntcp_check_req+0x1fb/0x510\ntcp_v6_rcv+0x98b/0x1420\nipv6_list_rcv+0x2258/0x26e0\nnapi_complete_done+0x5b1/0x2990\nmlx5e_napi_poll+0x2ae/0x8d0\nnet_rx_action+0x13e/0x590\nirq_exit_rcu+0xf5/0x320\ncommon_interrupt+0x80/0x90\nasm_common_interrupt+0x22/0x40\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\nfreed by task 0 on cpu 9 at 260507.927527s:\nrcu_core_si+0x4ff/0xf10\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb

See more information about CVE-2024-50154 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	7.0
Vector String:	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Version:	3.1
Attack Vector:	Local
Attack Complexity:	High
Privileges Required:	Low
User Interaction:	None
Scope:	Unchanged
Confidentiality:	High
Integrity:	High
Availability:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12887	2024-12-18
Oracle Linux version 9 (kernel-uek)	ELSA-2024-12887	2024-12-18