CVE-2024-26750
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-26750
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26750.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-26750
- Related
- Published
- 2024-04-04T09:15:07Z
- Modified
- 2024-09-18T03:26:03.064786Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
afunix: Drop oobskb ref before purging queue in GC.
syzbot reported another task hung in _unixgc(). [0]
The current while loop assumes that all of the left candidates have oobskb and calling kfreeskb(oob_skb) releases the remaining candidates.
However, I missed a case that oob_skb has self-referencing fd and another fd and the latter sk is placed before the former in the candidate list. Then, the while loop never proceeds, resulting the task hung.
_unixgc() has the same loop just before purging the collected skb, so we can call kfreeskb(oobskb) there and let _skbqueue_purge() release all inflight sockets.
NMI backtrace for cpu 1 CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: eventsunbound unixgc RIP: 0010:sanitizercovtracepc+0x0/0x70 kernel/kcov.c:200 Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70 RSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287 RAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 RBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84 R10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee R13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> _unixgc+0xe69/0xf40 net/unix/garbage.c:343 processonework kernel/workqueue.c:2633 [inline] processscheduledworks+0x913/0x1420 kernel/workqueue.c:2706 workerthread+0xa5f/0x1000 kernel/workqueue.c:2787 kthread+0x2ef/0x390 kernel/kthread.c:388 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1b/0x30 arch/x86/entry/entry64.S:242 </TASK>
- References
-
- https://git.kernel.org/stable/c/43ba9e331559a30000c862eea313248707afa787
- https://git.kernel.org/stable/c/6c480d0f131862645d172ca9e25dc152b1a5c3a6
- https://git.kernel.org/stable/c/aa82ac51d63328714645c827775d64dbfd9941f3
- https://git.kernel.org/stable/c/c4c795b21dd23d9514ae1c6646c3fb2c78b5be60
- https://git.kernel.org/stable/c/e9eac260369d0cf57ea53df95427125725507a0d
- https://security-tracker.debian.org/tracker/CVE-2024-26750
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.82-1
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.7.9-1