CVE-2024-26750

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26750
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26750.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-26750
Downstream
Related
Published
2024-04-04T08:20:14Z
Modified
2025-10-16T21:45:20.808544Z
Summary
af_unix: Drop oob_skb ref before purging queue in GC.
Details

In the Linux kernel, the following vulnerability has been resolved:

afunix: Drop oobskb ref before purging queue in GC.

syzbot reported another task hung in _unixgc(). [0]

The current while loop assumes that all of the left candidates have oobskb and calling kfreeskb(oob_skb) releases the remaining candidates.

However, I missed a case that oob_skb has self-referencing fd and another fd and the latter sk is placed before the former in the candidate list. Then, the while loop never proceeds, resulting the task hung.

_unixgc() has the same loop just before purging the collected skb, so we can call kfreeskb(oobskb) there and let _skbqueue_purge() release all inflight sockets.

NMI backtrace for cpu 1 CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: eventsunbound unixgc RIP: 0010:sanitizercovtracepc+0x0/0x70 kernel/kcov.c:200 Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70 RSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287 RAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 RBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84 R10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee R13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> _unixgc+0xe69/0xf40 net/unix/garbage.c:343 processonework kernel/workqueue.c:2633 [inline] processscheduledworks+0x913/0x1420 kernel/workqueue.c:2706 workerthread+0xa5f/0x1000 kernel/workqueue.c:2787 kthread+0x2ef/0x390 kernel/kthread.c:388 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1b/0x30 arch/x86/entry/entry64.S:242 </TASK>

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
36f7371de977f805750748e80279be7e370df85c
Fixed
6c480d0f131862645d172ca9e25dc152b1a5c3a6
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2a3d40b4025fcfe51b04924979f1653993b17669
Fixed
c4c795b21dd23d9514ae1c6646c3fb2c78b5be60
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
69e0f04460f4037e01e29f0d9675544f62aafca3
Fixed
e9eac260369d0cf57ea53df95427125725507a0d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cb8890318dde26fc89c6ea67d6e9070ab50b6e91
Fixed
43ba9e331559a30000c862eea313248707afa787
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
25236c91b5ab4a26a56ba2e79b8060cf4e047839
Fixed
aa82ac51d63328714645c827775d64dbfd9941f3

Affected versions

v5.*

v5.15.149
v5.15.150

v6.*

v6.8-rc4

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.149
Fixed
5.15.151