CVE-2024-26750 Information
Description
In the Linux kernel the following vulnerability has been resolved:
af_unix: Drop oob_skb ref before purging queue in GC.
syzbot reported another task hung in __unix_gc(). [0]
The current while loop assumes that all of the left candidates have oob_skb and calling kfree_skb(oob_skb) releases the remaining candidates.
However I missed a case that oob_skb has self-referencing fd and another fd and the latter sk is placed before the former in the candidate list. Then the while loop never proceeds resulting the task hung.
__unix_gc() has the same loop just before purging the collected skb so we can call kfree_skb(oob_skb) there and let __skb_queue_purge() release all inflight sockets.
[0]:
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 0
Hardware name: Google Google Compute Engine/Google Compute Engine BIOS Google 01/25/2024
Workqueue: events_unbound __unix_gc
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200
Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
Reference
https://git.kernel.org/stable/c/6c480d0f131862645d172ca9e25dc152b1a5c3a6 https://git.kernel.org/stable/c/c4c795b21dd23d9514ae1c6646c3fb2c78b5be60 https://git.kernel.org/stable/c/e9eac260369d0cf57ea53df95427125725507a0d https://git.kernel.org/stable/c/43ba9e331559a30000c862eea313248707afa787 https://git.kernel.org/stable/c/aa82ac51d63328714645c827775d64dbfd9941f3
Share on: