CVE-2024-26782

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26782
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26782.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-26782
Related
Published
2024-04-04T09:15:08Z
Modified
2024-11-05T10:49:58.123386Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix double-free on socket dismantle

when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat:

BUG: KASAN: double-free in inetsockdestruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0

CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: <IRQ> dumpstacklvl+0x32/0x50 printreport+0xca/0x620 kasanreportinvalidfree+0x64/0x90 _kasanslabfree+0x1aa/0x1f0 kfree+0xed/0x2e0 inetsockdestruct+0x54f/0x8b0 _skdestruct+0x48/0x5b0 rcudobatch+0x34e/0xd90 rcucore+0x559/0xac0 _dosoftirq+0x183/0x5a4 irqexitrcu+0x12d/0x170 sysvecapictimerinterrupt+0x6b/0x80 </IRQ> <TASK> asmsysvecapictimerinterrupt+0x16/0x20 RIP: 0010:cpuidleenterstate+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidleenter+0x4a/0xa0 doidle+0x310/0x410 cpustartupentry+0x51/0x60 startsecondary+0x211/0x270 secondarystartup64noverify+0x184/0x18b </TASK>

Allocated by task 6853: kasansavestack+0x1c/0x40 kasansavetrack+0x10/0x30 _kasankmalloc+0xa6/0xb0 _kmalloc+0x1eb/0x450 cipsov4socksetattr+0x96/0x360 netlblsocksetattr+0x132/0x1f0 selinuxnetlblsocketpostcreate+0x6c/0x110 selinuxsocketpostcreate+0x37b/0x7f0 securitysocketpostcreate+0x63/0xb0 _sockcreate+0x305/0x450 _syssocketcreate.part.23+0xbd/0x130 _syssocket+0x37/0xb0 _x64syssocket+0x6f/0xb0 dosyscall64+0x83/0x160 entrySYSCALL64afterhwframe+0x6e/0x76

Freed by task 6858: kasansavestack+0x1c/0x40 kasansavetrack+0x10/0x30 kasansavefreeinfo+0x3b/0x60 _kasanslabfree+0x12c/0x1f0 kfree+0xed/0x2e0 inetsockdestruct+0x54f/0x8b0 _skdestruct+0x48/0x5b0 subflowulprelease+0x1f0/0x250 tcpcleanupulp+0x6e/0x110 tcpv4destroysock+0x5a/0x3a0 inetcskdestroysock+0x135/0x390 tcpfin+0x416/0x5c0 tcpdataqueue+0x1bc8/0x4310 tcprcvstateprocess+0x15a3/0x47b0 tcpv4dorcv+0x2c1/0x990 tcpv4rcv+0x41fb/0x5ed0 ipprotocoldeliverrcu+0x6d/0x9f0 iplocaldeliverfinish+0x278/0x360 iplocaldeliver+0x182/0x2c0 iprcv+0xb5/0x1c0 _netifreceiveskbonecore+0x16e/0x1b0 processbacklog+0x1e3/0x650 _napipoll+0xa6/0x500 netrxaction+0x740/0xbb0 _dosoftirq+0x183/0x5a4

The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0)

The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.216-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1
5.10.205-1
5.10.205-2
5.10.209-1
5.10.209-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.82-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.7.9-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}