- Vulnerability/
- CVE-2024-26750
CVE-2024-26750: af_unix: Drop oob_skb ref before purging queue in GC.
First published: Thu Apr 04 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: af_unix: Drop oob_skb ref before purging queue in GC. syzbot reported another task hung in __unix_gc(). [0] The current while loop assumes that all of the left candidates have oob_skb and calling kfree_skb(oob_skb) releases the remaining candidates. However, I missed a case that oob_skb has self-referencing fd and another fd and the latter sk is placed before the former in the candidate list. Then, the while loop never proceeds, resulting the task hung. __unix_gc() has the same loop just before purging the collected skb, so we can call kfree_skb(oob_skb) there and let __skb_queue_purge() release all inflight sockets. [0]: Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events_unbound __unix_gc RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200 Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70 RSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287 RAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 RBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84 R10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee R13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> __unix_gc+0xe69/0xf40 net/unix/garbage.c:343 process_one_work kernel/workqueue.c:2633 [inline] process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706 worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787 kthread+0x2ef/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 </TASK>
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/linux | <5.15.0-112.122 | 5.15.0-112.122 |
| ubuntu/linux | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-aws | <5.15.0-1063.69 | 5.15.0-1063.69 |
| ubuntu/linux-aws | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-aws-5.15 | <5.15.0-1063.69~20.04.1 | 5.15.0-1063.69~20.04.1 |
| ubuntu/linux-aws-5.15 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-aws-5.4 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-aws-6.5 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-aws-fips | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-aws-hwe | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-azure | <5.15.0-1066.75 | 5.15.0-1066.75 |
| ubuntu/linux-azure | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-azure-4.15 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-azure-5.15 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-azure-5.4 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-azure-6.5 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-azure-fde | <5.15.0-1067.76.1 | 5.15.0-1067.76.1 |
| ubuntu/linux-azure-fde | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-azure-fde-5.15 | <5.15.0-1065.74~20.04.1.1 | 5.15.0-1065.74~20.04.1.1 |
| ubuntu/linux-azure-fde-5.15 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-azure-fips | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-bluefield | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-fips | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-gcp | <5.15.0-1062.70 | 5.15.0-1062.70 |
| ubuntu/linux-gcp | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-gcp-4.15 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-gcp-5.15 | <5.15.0-1062.70~20.04.1 | 5.15.0-1062.70~20.04.1 |
| ubuntu/linux-gcp-5.15 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-gcp-5.4 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-gcp-6.5 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-gcp-fips | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-gke | <5.15.0-1060.66 | 5.15.0-1060.66 |
| ubuntu/linux-gke | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-gkeop | <5.15.0-1046.53 | 5.15.0-1046.53 |
| ubuntu/linux-gkeop | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-gkeop-5.15 | <5.15.0-1046.53~20.04.1 | 5.15.0-1046.53~20.04.1 |
| ubuntu/linux-gkeop-5.15 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-hwe | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-hwe-5.15 | <5.15.0-113.123~20.04.1 | 5.15.0-113.123~20.04.1 |
| ubuntu/linux-hwe-5.15 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-hwe-5.4 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-hwe-6.5 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-ibm | <5.15.0-1056.59 | 5.15.0-1056.59 |
| ubuntu/linux-ibm | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-ibm-5.15 | <5.15.0-1057.60~20.04.1 | 5.15.0-1057.60~20.04.1 |
| ubuntu/linux-ibm-5.15 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-ibm-5.4 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-intel | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-intel-iotg | <5.15.0-1058.64 | 5.15.0-1058.64 |
| ubuntu/linux-intel-iotg | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-intel-iotg-5.15 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-iot | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-kvm | <5.15.0-1060.65 | 5.15.0-1060.65 |
| ubuntu/linux-kvm | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-laptop | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-lowlatency | <5.15.0-110.120 | 5.15.0-110.120 |
| ubuntu/linux-lowlatency | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-lowlatency-hwe-5.15 | <5.15.0-110.120~20.04.1 | 5.15.0-110.120~20.04.1 |
| ubuntu/linux-lowlatency-hwe-5.15 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-lowlatency-hwe-6.5 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-lts-xenial | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-nvidia | <5.15.0-1058.59 | 5.15.0-1058.59 |
| ubuntu/linux-nvidia | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-nvidia-6.5 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-oem-6.5 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-oem-6.8 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-oracle | <5.15.0-1061.67 | 5.15.0-1061.67 |
| ubuntu/linux-oracle | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-oracle-5.15 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-oracle-5.4 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-oracle-6.5 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-raspi | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-raspi-5.4 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-riscv | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-riscv-5.15 | <5.15.0-1059.63~20.04.1 | 5.15.0-1059.63~20.04.1 |
| ubuntu/linux-riscv-5.15 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-riscv-6.5 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-starfive | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-starfive-6.5 | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| ubuntu/linux-xilinx-zynqmp | <6.8~<5.15.151 | 6.8~ 5.15.151 |
| debian/linux | 5.10.218-1 5.10.221-1 6.1.94-1 6.1.99-1 6.9.10-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/43ba9e331559a30000c862eea313248707afa787
- https://git.kernel.org/stable/c/6c480d0f131862645d172ca9e25dc152b1a5c3a6
- https://git.kernel.org/stable/c/aa82ac51d63328714645c827775d64dbfd9941f3
- https://git.kernel.org/stable/c/c4c795b21dd23d9514ae1c6646c3fb2c78b5be60
- https://git.kernel.org/stable/c/e9eac260369d0cf57ea53df95427125725507a0d
- https://launchpad.net/bugs/cve/CVE-2024-26750
- https://git.kernel.org/linus/aa82ac51d63328714645c827775d64dbfd9941f3
- https://security-tracker.debian.org/tracker/CVE-2024-26750
- https://www.cve.org/CVERecord?id=CVE-2024-26750
- https://ubuntu.com/security/notices/USN-6820-1
- https://ubuntu.com/security/notices/USN-6821-1
- https://ubuntu.com/security/notices/USN-6821-2
- https://ubuntu.com/security/notices/USN-6828-1
- https://ubuntu.com/security/notices/USN-6820-2
- https://ubuntu.com/security/notices/USN-6821-3
- https://ubuntu.com/security/notices/USN-6821-4
- https://ubuntu.com/security/notices/USN-6871-1
- https://ubuntu.com/security/notices/USN-6892-1
- https://nvd.nist.gov/vuln/detail/CVE-2024-26750
- https://git.kernel.org/linus/25236c91b5ab4a26a56ba2e79b8060cf4e047839
- https://ubuntu.com/security/CVE-2024-26750
Parent vulnerabilities
(Appears in the following advisories)
- agent/severity
- agent/title
- agent/type
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- agent/author
- agent/description
- agent/event
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/debian
- package-manager/ubuntu