CVE-2024-56642

In the Linux kernel, the following vulnerability has been resolved:

tipc: Fix use-after-free of kernel socket in cleanup_bearer().

syzkaller reported a use-after-free of UDP kernel socket in cleanup_bearer() without repro. 0

When bearerdisable() calls tipcudpdisable(), cleanup of the UDP kernel socket is deferred by work calling cleanupbearer().

tipcexitnet() waits for such works to finish by checking tipcnet(net)->wqcount. However, the work decrements the count too early before releasing the kernel socket, unblocking cleanup_net() and resulting in use-after-free.

Let's move the decrement after releasing the socket in cleanup_bearer().

 sk_alloc+0x438/0x608
 inet_create+0x4c8/0xcb0
 __sock_create+0x350/0x6b8
 sock_create_kern+0x58/0x78
 udp_sock_create4+0x68/0x398
 udp_sock_create+0x88/0xc8
 tipc_udp_enable+0x5e8/0x848
 __tipc_nl_bearer_enable+0x84c/0xed8
 tipc_nl_bearer_enable+0x38/0x60
 genl_family_rcv_msg_doit+0x170/0x248
 genl_rcv_msg+0x400/0x5b0
 netlink_rcv_skb+0x1dc/0x398
 genl_rcv+0x44/0x68
 netlink_unicast+0x678/0x8b0
 netlink_sendmsg+0x5e4/0x898
 ____sys_sendmsg+0x500/0x830

BUG: KMSAN: use-after-free in udplibunhash+0x3b8/0x930 net/ipv4/udp.c:1979 udphashslot include/net/udp.h:85 [inline] udplibunhash+0x3b8/0x930 net/ipv4/udp.c:1979 skcommonrelease+0xaf/0x3f0 net/core/sock.c:3820 inetrelease+0x1e0/0x260 net/ipv4/afinet.c:437 inet6release+0x6f/0xd0 net/ipv6/afinet6.c:489 _sockrelease net/socket.c:658 [inline] sockrelease+0xa0/0x210 net/socket.c:686 cleanupbearer+0x42d/0x4c0 net/tipc/udpmedia.c:819 processonework kernel/workqueue.c:3229 [inline] processscheduledworks+0xcaf/0x1c90 kernel/workqueue.c:3310 workerthread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 retfromfork+0x60/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x11/0x20 arch/x86/entry/entry_64.S:244

Uninit was created at: slabfreehook mm/slub.c:2269 [inline] slabfree mm/slub.c:4580 [inline] kmemcachefree+0x207/0xc40 mm/slub.c:4682 netfree net/core/netnamespace.c:454 [inline] cleanupnet+0x16f2/0x19d0 net/core/netnamespace.c:647 processonework kernel/workqueue.c:3229 [inline] processscheduledworks+0xcaf/0x1c90 kernel/workqueue.c:3310 workerthread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 retfromfork+0x60/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x11/0x20 arch/x86/entry/entry64.S:244

CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: events cleanup_bearer