cve-2024-36938
Vulnerability from cvelistv5
Published
2024-05-30 15:29
Modified
2024-08-02 03:43
Severity
Summary
bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-36938", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-04T15:38:33.489892Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:04.434Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T03:43:50.528Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c0809c128dad4c3413818384eb06a341633db973" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5965bc7535fb87510b724e5465ccc1a1cf00916d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b397a0ab8582c533ec0c6b732392f141fc364f87" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/772d5729b5ff0df0d37b32db600ce635b2172f80" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6648e613226e18897231ab5e42ffc29e63fa3365" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/linux/skmsg.h", "net/core/skmsg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c0809c128dad", "status": "affected", "version": "604326b41a6f", "versionType": "git" }, { "lessThan": "5965bc7535fb", "status": "affected", "version": "604326b41a6f", "versionType": "git" }, { "lessThan": "39dc9e144238", "status": "affected", "version": "604326b41a6f", "versionType": "git" }, { "lessThan": "b397a0ab8582", "status": "affected", "version": "604326b41a6f", "versionType": "git" }, { "lessThan": "772d5729b5ff", "status": "affected", "version": "604326b41a6f", "versionType": "git" }, { "lessThan": "6648e613226e", "status": "affected", "version": "604326b41a6f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/linux/skmsg.h", "net/core/skmsg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.20" }, { "lessThan": "4.20", "status": "unaffected", "version": "0", "versionType": "custom" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.223", "versionType": "custom" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.159", "versionType": "custom" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.91", "versionType": "custom" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.31", "versionType": "custom" }, { "lessThanOrEqual": "6.8.*", "status": "unaffected", "version": "6.8.10", "versionType": "custom" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue\n\nFix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which\nsyzbot reported [1].\n\n[1]\nBUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue\n\nwrite to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:\n sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]\n sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843\n sk_psock_put include/linux/skmsg.h:459 [inline]\n sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648\n unix_release+0x4b/0x80 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0x68/0x150 net/socket.c:1421\n __fput+0x2c1/0x660 fs/file_table.c:422\n __fput_sync+0x44/0x60 fs/file_table.c:507\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close+0x101/0x1b0 fs/open.c:1541\n __x64_sys_close+0x1f/0x30 fs/open.c:1541\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:\n sk_psock_data_ready include/linux/skmsg.h:464 [inline]\n sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555\n sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606\n sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]\n sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202\n unix_read_skb net/unix/af_unix.c:2546 [inline]\n unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682\n sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223\n unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x140/0x180 net/socket.c:745\n ____sys_sendmsg+0x312/0x410 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x1e9/0x280 net/socket.c:2667\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nvalue changed: 0xffffffff83d7feb0 -\u003e 0x0000000000000000\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\n\nPrior to this, commit 4cd12c6065df (\"bpf, sockmap: Fix NULL pointer\ndereference in sk_psock_verdict_data_ready()\") fixed one NULL pointer\nsimilarly due to no protection of saved_data_ready. Here is another\ndifferent caller causing the same issue because of the same reason. So\nwe should protect it with sk_callback_lock read lock because the writer\nside in the sk_psock_drop() uses \"write_lock_bh(\u0026sk-\u003esk_callback_lock);\".\n\nTo avoid errors that could happen in future, I move those two pairs of\nlock into the sk_psock_data_ready(), which is suggested by John Fastabend." } ], "providerMetadata": { "dateUpdated": "2024-07-29T06:28:29.164Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c0809c128dad4c3413818384eb06a341633db973" }, { "url": "https://git.kernel.org/stable/c/5965bc7535fb87510b724e5465ccc1a1cf00916d" }, { "url": "https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27" }, { "url": "https://git.kernel.org/stable/c/b397a0ab8582c533ec0c6b732392f141fc364f87" }, { "url": "https://git.kernel.org/stable/c/772d5729b5ff0df0d37b32db600ce635b2172f80" }, { "url": "https://git.kernel.org/stable/c/6648e613226e18897231ab5e42ffc29e63fa3365" } ], "title": "bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue", "x_generator": { "engine": "bippy-c9c4e1df01b2" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-36938", "datePublished": "2024-05-30T15:29:26.929Z", "dateReserved": "2024-05-30T15:25:07.071Z", "dateUpdated": "2024-08-02T03:43:50.528Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-36938\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-30T16:15:16.897\",\"lastModified\":\"2024-07-29T07:15:03.883\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue\\n\\nFix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which\\nsyzbot reported [1].\\n\\n[1]\\nBUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue\\n\\nwrite to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:\\n sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]\\n sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843\\n sk_psock_put include/linux/skmsg.h:459 [inline]\\n sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648\\n unix_release+0x4b/0x80 net/unix/af_unix.c:1048\\n __sock_release net/socket.c:659 [inline]\\n sock_close+0x68/0x150 net/socket.c:1421\\n __fput+0x2c1/0x660 fs/file_table.c:422\\n __fput_sync+0x44/0x60 fs/file_table.c:507\\n __do_sys_close fs/open.c:1556 [inline]\\n __se_sys_close+0x101/0x1b0 fs/open.c:1541\\n __x64_sys_close+0x1f/0x30 fs/open.c:1541\\n do_syscall_64+0xd3/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nread to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:\\n sk_psock_data_ready include/linux/skmsg.h:464 [inline]\\n sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555\\n sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606\\n sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]\\n sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202\\n unix_read_skb net/unix/af_unix.c:2546 [inline]\\n unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682\\n sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223\\n unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x140/0x180 net/socket.c:745\\n ____sys_sendmsg+0x312/0x410 net/socket.c:2584\\n ___sys_sendmsg net/socket.c:2638 [inline]\\n __sys_sendmsg+0x1e9/0x280 net/socket.c:2667\\n __do_sys_sendmsg net/socket.c:2676 [inline]\\n __se_sys_sendmsg net/socket.c:2674 [inline]\\n __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674\\n do_syscall_64+0xd3/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nvalue changed: 0xffffffff83d7feb0 -\u003e 0x0000000000000000\\n\\nReported by Kernel Concurrency Sanitizer on:\\nCPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\\n\\nPrior to this, commit 4cd12c6065df (\\\"bpf, sockmap: Fix NULL pointer\\ndereference in sk_psock_verdict_data_ready()\\\") fixed one NULL pointer\\nsimilarly due to no protection of saved_data_ready. Here is another\\ndifferent caller causing the same issue because of the same reason. So\\nwe should protect it with sk_callback_lock read lock because the writer\\nside in the sk_psock_drop() uses \\\"write_lock_bh(\u0026sk-\u003esk_callback_lock);\\\".\\n\\nTo avoid errors that could happen in future, I move those two pairs of\\nlock into the sk_psock_data_ready(), which is suggested by John Fastabend.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf, skmsg: Se corrigi\u00f3 la desreferencia del puntero NULL en sk_psock_skb_ingress_enqueue Se corrigieron las ejecuci\u00f3ns de datos del puntero NULL en sk_psock_skb_ingress_enqueue() que syzbot inform\u00f3 [1]. [1] ERROR: KCSAN: ejecuci\u00f3n de datos en sk_psock_drop / sk_psock_skb_ingress_enqueue escribe en 0xffff88814b3278b8 de 8 bytes por tarea 10724 en la CPU 1: sk_psock_stop_verdict net/core/skmsg.c:1257 [en l\u00ednea] 0 neto/n\u00facleo/skmsg .c:843 sk_psock_put include/linux/skmsg.h:459 [en l\u00ednea] sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648 unix_release+0x4b/0x80 net/unix/af_unix.c:1048 __sock_release net/socket. c:659 [en l\u00ednea] sock_close+0x68/0x150 net/socket.c:1421 __fput+0x2c1/0x660 fs/file_table.c:422 __fput_sync+0x44/0x60 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [en l\u00ednea] __se_sys_close+0x101/0x1b0 fs/open.c:1541 __x64_sys_close+0x1f/0x30 fs/open.c:1541 do_syscall_64+0xd3/0x1d0 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 leer en 0xffff8881 4b3278b8 de 8 bytes por tarea 10713 en la CPU 0: sk_psock_data_ready include/linux/skmsg.h:464 [en l\u00ednea] sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555 sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606 sk_psock_verdict_apply net /core/skmsg.c: 1008 [en l\u00ednea] sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202 unix_read_skb net/unix/af_unix.c:2546 [en l\u00ednea] unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682 +0x77/0x220 net/core/skmsg.c:1223 unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339 sock_sendmsg_nosec net/socket.c:730 [en l\u00ednea] __sock_sendmsg+0x140/0x180 net/socket.c:745 ____sys_sendmsg+0x 312/ 0x410 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [en l\u00ednea] __sys_sendmsg+0x1e9/0x280 net/socket.c:2667 __do_sys_sendmsg net/socket.c:2676 [en l\u00ednea] __se_sys_sendmsg net/socket. c:2674 [en l\u00ednea] __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674 do_syscall_64+0xd3/0x1d0 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 valor cambiado: 0xffffffff83d7feb0 -\u0026gt; 0x0000000000000000 editado por Kernel Concurrency Sanitizer en: CPU: 0 PID: 10713 Comm: syz-executor .4 Contaminado: GW 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 29/02/2024 Antes de esto, confirme 4cd12c6065df (\\\"bpf, sockmap: corrija el puntero NULL dereference in sk_psock_verdict_data_ready()\\\") arregl\u00f3 un puntero NULL de manera similar debido a que no hay protecci\u00f3n de save_data_ready. Aqu\u00ed hay otra persona que llama y causa el mismo problema por el mismo motivo. Entonces deber\u00edamos protegerlo con el bloqueo de lectura sk_callback_lock porque el lado del escritor en sk_psock_drop() usa \\\"write_lock_bh(\u0026amp;sk-\u0026gt;sk_callback_lock);\\\". Para evitar errores que podr\u00edan ocurrir en el futuro, muevo esos dos pares de candados a sk_psock_data_ready(), sugerido por John Fastabend.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"5.15.159\",\"matchCriteriaId\":\"6FB93658-2709-4338-A4A2-4EF2B669AC04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.91\",\"matchCriteriaId\":\"4F8C886C-75AA-469B-A6A9-12BF1A29C0D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.31\",\"matchCriteriaId\":\"CDDB1F69-36AC-41C1-9192-E7CCEF5FFC00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.8.10\",\"matchCriteriaId\":\"6A6B920C-8D8F-4130-86B4-AD334F4CF2E3\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5965bc7535fb87510b724e5465ccc1a1cf00916d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6648e613226e18897231ab5e42ffc29e63fa3365\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/772d5729b5ff0df0d37b32db600ce635b2172f80\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b397a0ab8582c533ec0c6b732392f141fc364f87\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c0809c128dad4c3413818384eb06a341633db973\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}" } }
Loading...