In the Linux kernel, the following vulnerability has been resolved:
afunix: Get userns from inskb in unixdiaggetexact().
Wei Chen reported a NULL deref in skuserns() 0, and Paolo diagnosed the root cause: in unixdiagget_exact(), the newly allocated skb does not have sk. [2]
We must get the userns from the NETLINKCB(inskb).sk and pass it to skdiag_fill().
PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 RIP: 0010:skuserns include/net/sock.h:920 [inline] RIP: 0010:skdiagdumpuid net/unix/diag.c:119 [inline] RIP: 0010:skdiagfill+0x77d/0x890 net/unix/diag.c:170 Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8 54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b 9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d RSP: 0018:ffffc90000d67968 EFLAGS: 00010246 RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270 RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000 R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800 R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940 FS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> unixdiaggetexact net/unix/diag.c:285 [inline] unixdiaghandlerdump+0x3f9/0x500 net/unix/diag.c:317 sockdiagcmd net/core/sockdiag.c:235 [inline] sockdiagrcvmsg+0x237/0x250 net/core/sockdiag.c:266 netlinkrcvskb+0x13e/0x250 net/netlink/afnetlink.c:2564 sockdiagrcv+0x24/0x40 net/core/sockdiag.c:277 netlinkunicastkernel net/netlink/afnetlink.c:1330 [inline] netlinkunicast+0x5e9/0x6b0 net/netlink/afnetlink.c:1356 netlinksendmsg+0x739/0x860 net/netlink/afnetlink.c:1932 socksendmsgnosec net/socket.c:714 [inline] socksendmsg net/socket.c:734 [inline] syssendmsg+0x38f/0x500 net/socket.c:2476 _syssendmsg net/socket.c:2530 [inline] _syssendmsg+0x197/0x230 net/socket.c:2559 _dosyssendmsg net/socket.c:2568 [inline] _sesyssendmsg net/socket.c:2566 [inline] _x64syssendmsg+0x42/0x50 net/socket.c:2566 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x2b/0x70 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd RIP: 0033:0x4697f9 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIGRAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9 RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80 R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0 </TASK> Modules linked in: CR2: 0000000000000270