CVE-2024-44946

In the Linux kernel, the following vulnerability has been resolved:

kcm: Serialise kcm_sendmsg() for the same socket.

syzkaller reported UAF in kcm_release(). [0]

The scenario is

1. Thread A builds a skb with MSGMORE and sets kcm->seqskb.

2. Thread A resumes building skb from kcm->seqskb but is blocked by skstreamwaitmemory()

3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb and puts the skb to the write queue

4. Thread A faces an error and finally frees skb that is already in the write queue

5. kcm_release() does double-free the skb in the write queue

When a thread is building a MSG_MORE skb, another thread must not touch it.

Let's add a per-sk mutex and serialise kcm_sendmsg().

BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline] BUG: KASAN: slab-use-after-free in __skbqueuepurge_reason include/linux/skbuff.h:3175 [inline] BUG: KASAN: slab-use-after-free in _skbqueuepurge include/linux/skbuff.h:3181 [inline] BUG: KASAN: slab-use-after-free in kcmrelease+0x170/0x4c8 net/kcm/kcmsock.c:1691 Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167

CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call trace: dumpbacktrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 showstack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dumpstack lib/dumpstack.c:88 [inline] dump_stacklvl+0xd0/0x124 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x178/0x518 mm/kasan/report.c:488 kasanreport+0xd8/0x138 mm/kasan/report.c:601 __asanreportload8noabort+0x20/0x2c mm/kasan/reportgeneric.c:381 __skb_unlink include/linux/skbuff.h:2366 [inline] __skb_dequeue include/linux/skbuff.h:2385 [inline] __skbqueuepurge_reason include/linux/skbuff.h:3175 [inline] __skbqueuepurge include/linux/skbuff.h:3181 [inline] kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 __sockrelease net/socket.c:659 [inline] sockclose+0xa4/0x1e8 net/socket.c:1421 __fput+0x30c/0x738 fs/file_table.c:376 ___fput+0x20/0x30 fs/filetable.c:404 taskworkrun+0x230/0x2e0 kernel/taskwork.c:180 exittaskwork include/linux/taskwork.h:38 [inline] doexit+0x618/0x1f64 kernel/exit.c:871 dogroupexit+0x194/0x22c kernel/exit.c:1020 getsignal+0x1500/0x15ec kernel/signal.c:2893 dosignal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249 donotifyresume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exittousermodeprepare arch/arm64/kernel/entry-common.c:169 [inline] exittousermode arch/arm64/kernel/entry-common.c:178 [inline] el0svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t64synchandler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t64sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Allocated by task 6166: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x40/0x78 mm/kasan/common.c:68 kasansaveallocinfo+0x70/0x84 mm/kasan/generic.c:626 unpoisonslab_object mm/kasan/common.c:314 [inline] __kasanslaballoc+0x74/0x8c mm/kasan/common.c:340 kasanslaballoc include/linux/kasan.h:201 [inline] slabpostallochook mm/slub.c:3813 [inline] slaballocnode mm/slub.c:3860 [inline] kmemcacheallocnode+0x204/0x4c0 mm/slub.c:3903 __allocskb+0x19c/0x3d8 net/core/skbuff.c:641 allocskb include/linux/skbuff.h:1296 [inline] kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783 socksendmsgnosec net/socket.c:730 [inline] __socksendmsg net/socket.c:745 [inline] socksendmsg+0x220/0x2c0 net/socket.c:768 splicetosocket+0x7cc/0xd58 fs/splice.c:889 dosplicefrom fs/splice.c:941 [inline] directspliceactor+0xec/0x1d8 fs/splice.c:1164 splicedirecttoactor+0x438/0xa0c fs/splice.c:1108 dosplicedirectactor ---truncated---