CVE-2024-26782

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix double-free on socket dismantle

when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat:

BUG: KASAN: double-free in inetsockdestruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0

CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: <IRQ> dumpstacklvl+0x32/0x50 printreport+0xca/0x620 kasanreportinvalidfree+0x64/0x90 _kasanslabfree+0x1aa/0x1f0 kfree+0xed/0x2e0 inetsockdestruct+0x54f/0x8b0 _skdestruct+0x48/0x5b0 rcudobatch+0x34e/0xd90 rcucore+0x559/0xac0 _dosoftirq+0x183/0x5a4 irqexitrcu+0x12d/0x170 sysvecapictimerinterrupt+0x6b/0x80 </IRQ> <TASK> asmsysvecapictimerinterrupt+0x16/0x20 RIP: 0010:cpuidleenterstate+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidleenter+0x4a/0xa0 doidle+0x310/0x410 cpustartupentry+0x51/0x60 startsecondary+0x211/0x270 secondarystartup64noverify+0x184/0x18b </TASK>

Allocated by task 6853: kasansavestack+0x1c/0x40 kasansavetrack+0x10/0x30 _kasankmalloc+0xa6/0xb0 _kmalloc+0x1eb/0x450 cipsov4socksetattr+0x96/0x360 netlblsocksetattr+0x132/0x1f0 selinuxnetlblsocketpostcreate+0x6c/0x110 selinuxsocketpostcreate+0x37b/0x7f0 securitysocketpostcreate+0x63/0xb0 _sockcreate+0x305/0x450 _syssocketcreate.part.23+0xbd/0x130 _syssocket+0x37/0xb0 _x64syssocket+0x6f/0xb0 dosyscall64+0x83/0x160 entrySYSCALL64afterhwframe+0x6e/0x76

Freed by task 6858: kasansavestack+0x1c/0x40 kasansavetrack+0x10/0x30 kasansavefreeinfo+0x3b/0x60 _kasanslabfree+0x12c/0x1f0 kfree+0xed/0x2e0 inetsockdestruct+0x54f/0x8b0 _skdestruct+0x48/0x5b0 subflowulprelease+0x1f0/0x250 tcpcleanupulp+0x6e/0x110 tcpv4destroysock+0x5a/0x3a0 inetcskdestroysock+0x135/0x390 tcpfin+0x416/0x5c0 tcpdataqueue+0x1bc8/0x4310 tcprcvstateprocess+0x15a3/0x47b0 tcpv4dorcv+0x2c1/0x990 tcpv4rcv+0x41fb/0x5ed0 ipprotocoldeliverrcu+0x6d/0x9f0 iplocaldeliverfinish+0x278/0x360 iplocaldeliver+0x182/0x2c0 iprcv+0xb5/0x1c0 _netifreceiveskbonecore+0x16e/0x1b0 processbacklog+0x1e3/0x650 _napipoll+0xa6/0x500 netrxaction+0x740/0xbb0 _dosoftirq+0x183/0x5a4

The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0)

The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---