 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| CVE ID: | CVE-2024-36972 |
| Description: | In the Linux kernel, the following vulnerability has been resolved:
af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.
Billy Jheng Bing-Jhong reported a race between __unix_gc() and
queue_oob(). __unix_gc() tries to garbage-collect close()d inflight
sockets, and then if the socket has MSG_OOB in unix_sk(sk)->oob_skb,
GC will drop the reference and set NULL to it locklessly. However, the
peer socket still can send MSG_OOB message and queue_oob() can update
unix_sk(sk)->oob_skb concurrently, leading NULL pointer dereference.
[0] To fix the issue, let's update unix_sk(sk)->oob_skb under the
sk_receive_queue's lock and take it everywhere we touch oob_skb. Note
that we defer kfree_skb() in manage_oob() to silence lockdep false-
positive (See [1]). [0]: BUG: kernel NULL pointer dereference,
address: 0000000000000008 PF: supervisor write access in kernel mode
PF: error_code(0x0002) - not-present page PGD 8000000009f5e067 P4D
8000000009f5e067 PUD 9f5d067 PMD 0 Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted
6.9.0-rc5-00191-gd091e579b864 #110 Hardware name: QEMU Standard PC
(i440FX + PIIX, 1996), BIOS
rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue:
events delayed_fput RIP: 0010:skb_dequeue
(./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402
net/core/skbuff.c:3847) Code: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01
89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7
04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d
41 5c c3 cc cc RSP: 0018:ffffc900001bfd48 EFLAGS: 00000002 RAX:
0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9 RDX:
0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00 RBP:
ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001 R10:
0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00 R13:
ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80 FS:
0000000000000000(0000) GS:ffff88807dd80000(0000)
knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033 CR2: 0000000000000008 CR3: 0000000006314000 CR4:
00000000007506f0 PKRU: 55555554 Call Trace: |
| Test IDs: | None available |
| Cross References: |
Common Vulnerability Exposure (CVE) ID: CVE-2024-36972 https://git.kernel.org/stable/c/4708f49add84a57ce0ccc7bf9a6269845c631cc3 https://git.kernel.org/stable/c/4708f49add84a57ce0ccc7bf9a6269845c631cc3 https://git.kernel.org/stable/c/4bf6964451c3cb411fbaa1ae8b214b3d97a59bf1 https://git.kernel.org/stable/c/4bf6964451c3cb411fbaa1ae8b214b3d97a59bf1 https://git.kernel.org/stable/c/518a994aa0b87d96f1bc6678a7035df5d1fcd7a1 https://git.kernel.org/stable/c/518a994aa0b87d96f1bc6678a7035df5d1fcd7a1 https://git.kernel.org/stable/c/9841991a446c87f90f66f4b9fee6fe934c1336a2 https://git.kernel.org/stable/c/9841991a446c87f90f66f4b9fee6fe934c1336a2 https://git.kernel.org/stable/c/d59ae9314b97e01c76a4171472441e55721ba636 https://git.kernel.org/stable/c/d59ae9314b97e01c76a4171472441e55721ba636 |