CVE-2024-44991

Its possible that two threads call tcpskexitbatch() concurrently, once from the cleanupnet workqueue, once from a task that failed to clone a new netns. In the latter case, error unwinding calls the exit handlers in reverse order for the 'failed' netns.

tcpskexitbatch() calls tcptwskpurge(). Problem is that since commit b099ce2602d8 ("net: Batch inettwskpurge"), this function picks up twsk in any dying netns, not just the one passed in via exitbatch list.

This means that the error unwind of setup_net() can "steal" and destroy timewait sockets belonging to the exiting netns.

This allows the netns exit worker to proceed to call

WARNONONCE(!refcountdecandtest(&net->ipv4.tcpdeathrow.twrefcount));

without the expected 1 -> 0 transition, which then splats.

At same time, error unwind path that is also running inettwskpurge() will splat as well:

WARNING: .. at lib/refcount.c:31 refcountwarnsaturate+0x1ed/0x210 ... refcountdec include/linux/refcount.h:351 [inline] inettwskkill+0x758/0x9c0 net/ipv4/inettimewaitsock.c:70 inettwskdescheduleput net/ipv4/inettimewaitsock.c:221 inettwskpurge+0x725/0x890 net/ipv4/inettimewaitsock.c:304 tcpskexitbatch+0x1c/0x170 net/ipv4/tcpipv4.c:3522 opsexitlist+0x128/0x180 net/core/netnamespace.c:178 setupnet+0x714/0xb40 net/core/netnamespace.c:375 copynetns+0x2f0/0x670 net/core/netnamespace.c:508 createnewnamespaces+0x3ea/0xb10 kernel/nsproxy.c:110

... because refcountdec() of twrefcount unexpectedly dropped to 0.

This doesn't seem like an actual bug (no tw sockets got lost and I don't see a use-after-free) but as erroneous trigger of debug check.

Add a mutex to force strict ordering: the task that calls tcptwskpurge() blocks other task from doing final decand_test before mutex-owner has removed all tw sockets of dying netns.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8

Fixed

e3d9de3742f4d5c47ae35f888d3023a5b54fcd2f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8

Fixed

99580ae890ec8bd98b21a2a9c6668f8f1555b62e

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8

Fixed

f6fd2dbf584a4047ba88d1369ff91c9851261ec1

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8

Fixed

565d121b69980637f040eb4d84289869cdaabedf

Affected versions

v6.*

v6.0

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.100

v6.1.101

v6.1.102

v6.1.103

v6.1.104

v6.1.105

v6.1.106

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.29

v6.1.3

v6.1.30

v6.1.31

v6.1.32

v6.1.33

v6.1.34

v6.1.35

v6.1.36

v6.1.37

v6.1.38

v6.1.39

v6.1.4

v6.1.40

v6.1.41

v6.1.42

v6.1.43

v6.1.44

v6.1.45

v6.1.46

v6.1.47

v6.1.48

v6.1.49

v6.1.5

v6.1.50

v6.1.51

v6.1.52

v6.1.53

v6.1.54

v6.1.55

v6.1.56

v6.1.57

v6.1.58

v6.1.59

v6.1.6

v6.1.60

v6.1.61

v6.1.62

v6.1.63

v6.1.64

v6.1.65

v6.1.66

v6.1.67

v6.1.68

v6.1.69

v6.1.7

v6.1.70

v6.1.71

v6.1.72

v6.1.73

v6.1.74

v6.1.75

v6.1.76

v6.1.77

v6.1.78

v6.1.79

v6.1.8

v6.1.80

v6.1.81

v6.1.82

v6.1.83

v6.1.84

v6.1.85

v6.1.86

v6.1.87

v6.1.88

v6.1.89

v6.1.9

v6.1.90

v6.1.91

v6.1.92

v6.1.93

v6.1.94

v6.1.95

v6.1.96

v6.1.97

v6.1.98

v6.1.99

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.10.1

v6.10.2

v6.10.3

v6.10.4

v6.10.5

v6.10.6

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 277.0,
            "function_hash": "167430414399472676513158455899674322230"
        },
        "id": "CVE-2024-44991-0e2dd0ba",
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f6fd2dbf584a4047ba88d1369ff91c9851261ec1",
        "target": {
            "file": "net/ipv4/tcp_ipv4.c",
            "function": "tcp_sk_exit_batch"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 277.0,
            "function_hash": "167430414399472676513158455899674322230"
        },
        "id": "CVE-2024-44991-1888ac77",
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@565d121b69980637f040eb4d84289869cdaabedf",
        "target": {
            "file": "net/ipv4/tcp_ipv4.c",
            "function": "tcp_sk_exit_batch"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "249806605821603186161259913259055200285",
                "153291043751847599881521367783740331875",
                "243031376890555221872153591917428449761",
                "142995607108540992450888950813322902967",
                "119646743948964429830211239099902328479",
                "238278036579254109366234199789038850552",
                "32772722749649028837009356749463086138",
                "239422875296568987991214659481903223033",
                "190863228386120364337235515353299879849",
                "269387773591805881034878532106407612860"
            ]
        },
        "id": "CVE-2024-44991-19acb391",
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e3d9de3742f4d5c47ae35f888d3023a5b54fcd2f",
        "target": {
            "file": "net/ipv4/tcp_ipv4.c"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 277.0,
            "function_hash": "167430414399472676513158455899674322230"
        },
        "id": "CVE-2024-44991-38a96386",
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@99580ae890ec8bd98b21a2a9c6668f8f1555b62e",
        "target": {
            "file": "net/ipv4/tcp_ipv4.c",
            "function": "tcp_sk_exit_batch"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 277.0,
            "function_hash": "167430414399472676513158455899674322230"
        },
        "id": "CVE-2024-44991-73816197",
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e3d9de3742f4d5c47ae35f888d3023a5b54fcd2f",
        "target": {
            "file": "net/ipv4/tcp_ipv4.c",
            "function": "tcp_sk_exit_batch"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "249806605821603186161259913259055200285",
                "153291043751847599881521367783740331875",
                "243031376890555221872153591917428449761",
                "142995607108540992450888950813322902967",
                "119646743948964429830211239099902328479",
                "238278036579254109366234199789038850552",
                "32772722749649028837009356749463086138",
                "239422875296568987991214659481903223033",
                "190863228386120364337235515353299879849",
                "269387773591805881034878532106407612860"
            ]
        },
        "id": "CVE-2024-44991-77191df3",
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f6fd2dbf584a4047ba88d1369ff91c9851261ec1",
        "target": {
            "file": "net/ipv4/tcp_ipv4.c"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "249806605821603186161259913259055200285",
                "153291043751847599881521367783740331875",
                "243031376890555221872153591917428449761",
                "142995607108540992450888950813322902967",
                "119646743948964429830211239099902328479",
                "238278036579254109366234199789038850552",
                "32772722749649028837009356749463086138",
                "239422875296568987991214659481903223033",
                "190863228386120364337235515353299879849",
                "269387773591805881034878532106407612860"
            ]
        },
        "id": "CVE-2024-44991-90b92aa5",
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@99580ae890ec8bd98b21a2a9c6668f8f1555b62e",
        "target": {
            "file": "net/ipv4/tcp_ipv4.c"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "306942740257316457093574800753488575893",
                "96765130306557746829244552156871786087",
                "280965757244423749109224771621465697757",
                "142995607108540992450888950813322902967",
                "119646743948964429830211239099902328479",
                "238278036579254109366234199789038850552",
                "32772722749649028837009356749463086138",
                "239422875296568987991214659481903223033",
                "190863228386120364337235515353299879849",
                "269387773591805881034878532106407612860"
            ]
        },
        "id": "CVE-2024-44991-f1099c16",
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@565d121b69980637f040eb4d84289869cdaabedf",
        "target": {
            "file": "net/ipv4/tcp_ipv4.c"
        }
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.1.107

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.48

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.10.7