CVE-2024-26781

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26781
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26781.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26781
Related
Published
2024-04-04T09:15:07Z
Modified
2024-11-05T10:49:57.947967Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix possible deadlock in subflow diag

Syzbot and Eric reported a lockdep splat in the subflow diag:

WARNING: possible circular locking dependency detected 6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted

syz-executor.2/24141 is trying to acquire lock: ffff888045870130 (k-sklock-AFINET6){+.+.}-{0:0}, at: tcpdiagputulp net/ipv4/tcpdiag.c:100 [inline] ffff888045870130 (k-sklock-AFINET6){+.+.}-{0:0}, at: tcpdiaggetaux+0x738/0x830 net/ipv4/tcpdiag.c:137

but task is already holding lock: ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spinlock include/linux/spinlock.h:351 [inline] ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inetdiagdumpicsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (&h->lhash2[i].lock){+.+.}-{2:2}: lockacquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 _rawspinlock include/linux/spinlockapismp.h:133 [inline] rawspinlock+0x2e/0x40 kernel/locking/spinlock.c:154 spinlock include/linux/spinlock.h:351 [inline] _inethash+0x335/0xbe0 net/ipv4/inethashtables.c:743 inetcsklistenstart+0x23a/0x320 net/ipv4/inetconnectionsock.c:1261 _inetlistensk+0x2a2/0x770 net/ipv4/afinet.c:217 inetlisten+0xa3/0x110 net/ipv4/afinet.c:239 rdstcplisteninit+0x3fd/0x5a0 net/rds/tcplisten.c:316 rdstcpinitnet+0x141/0x320 net/rds/tcp.c:577 opsinit+0x352/0x610 net/core/netnamespace.c:136 _registerpernetoperations net/core/netnamespace.c:1214 [inline] registerpernetoperations+0x2cb/0x660 net/core/netnamespace.c:1283 registerpernetdevice+0x33/0x80 net/core/netnamespace.c:1370 rdstcpinit+0x62/0xd0 net/rds/tcp.c:735 dooneinitcall+0x238/0x830 init/main.c:1236 doinitcalllevel+0x157/0x210 init/main.c:1298 doinitcalls+0x3f/0x80 init/main.c:1314 kernelinitfreeable+0x42f/0x5d0 init/main.c:1551 kernelinit+0x1d/0x2a0 init/main.c:1441 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1b/0x30 arch/x86/entry/entry_64.S:242

-> #0 (k-sklock-AFINET6){+.+.}-{0:0}: checkprevadd kernel/locking/lockdep.c:3134 [inline] checkprevsadd kernel/locking/lockdep.c:3253 [inline] validatechain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869 lockacquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 lockacquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 locksockfast include/net/sock.h:1723 [inline] subflowgetinfo+0x166/0xd20 net/mptcp/diag.c:28 tcpdiagputulp net/ipv4/tcpdiag.c:100 [inline] tcpdiaggetaux+0x738/0x830 net/ipv4/tcpdiag.c:137 inetskdiagfill+0x10ed/0x1e00 net/ipv4/inetdiag.c:345 inetdiagdumpicsk+0x55b/0x1f80 net/ipv4/inetdiag.c:1061 _inetdiagdump+0x211/0x3a0 net/ipv4/inetdiag.c:1263 inetdiagdumpcompat+0x1c1/0x2d0 net/ipv4/inetdiag.c:1371 netlinkdump+0x59b/0xc80 net/netlink/afnetlink.c:2264 _netlinkdumpstart+0x5df/0x790 net/netlink/afnetlink.c:2370 netlinkdumpstart include/linux/netlink.h:338 [inline] inetdiagrcvmsgcompat+0x209/0x4c0 net/ipv4/inetdiag.c:1405 sockdiagrcvmsg+0xe7/0x410 netlinkrcvskb+0x1e3/0x430 net/netlink/afnetlink.c:2543 sockdiagrcv+0x2a/0x40 net/core/sockdiag.c:280 netlinkunicastkernel net/netlink/afnetlink.c:1341 [inline] netlinkunicast+0x7ea/0x980 net/netlink/afnetlink.c:1367 netlinksendmsg+0xa3b/0xd70 net/netlink/afnetlink.c:1908 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0x221/0x270 net/socket.c:745 syssendmsg+0x525/0x7d0 net/socket.c:2584 _syssendmsg net/socket.c:2638 [inline] _syssendmsg+0x2b0/0x3a0 net/socket.c:2667 dosyscall64+0xf9/0x240 entrySYSCALL64afterhwframe+0x6f/0x77

As noted by Eric we can break the lock dependency chain avoid dumping ---truncated---

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.216-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1
5.10.205-1
5.10.205-2
5.10.209-1
5.10.209-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.82-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.7.9-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}