DEBIAN-CVE-2024-26782

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inetopt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inetsockdestruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: <IRQ> dumpstacklvl+0x32/0x50 printreport+0xca/0x620 kasanreportinvalidfree+0x64/0x90 _kasanslabfree+0x1aa/0x1f0 kfree+0xed/0x2e0 inetsockdestruct+0x54f/0x8b0 _skdestruct+0x48/0x5b0 rcudobatch+0x34e/0xd90 rcucore+0x559/0xac0 _dosoftirq+0x183/0x5a4 irqexitrcu+0x12d/0x170 sysvecapictimerinterrupt+0x6b/0x80 </IRQ> <TASK> asmsysvecapictimerinterrupt+0x16/0x20 RIP: 0010:cpuidleenterstate+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidleenter+0x4a/0xa0 doidle+0x310/0x410 cpustartupentry+0x51/0x60 startsecondary+0x211/0x270 secondarystartup64noverify+0x184/0x18b </TASK> Allocated by task 6853: kasansavestack+0x1c/0x40 kasansavetrack+0x10/0x30 _kasankmalloc+0xa6/0xb0 _kmalloc+0x1eb/0x450 cipsov4socksetattr+0x96/0x360 netlblsocksetattr+0x132/0x1f0 selinuxnetlblsocketpostcreate+0x6c/0x110 selinuxsocketpostcreate+0x37b/0x7f0 securitysocketpostcreate+0x63/0xb0 _sockcreate+0x305/0x450 _syssocketcreate.part.23+0xbd/0x130 _syssocket+0x37/0xb0 _x64syssocket+0x6f/0xb0 dosyscall64+0x83/0x160 entrySYSCALL64afterhwframe+0x6e/0x76 Freed by task 6858: kasansavestack+0x1c/0x40 kasansavetrack+0x10/0x30 kasansavefreeinfo+0x3b/0x60 _kasanslabfree+0x12c/0x1f0 kfree+0xed/0x2e0 inetsockdestruct+0x54f/0x8b0 _skdestruct+0x48/0x5b0 subflowulprelease+0x1f0/0x250 tcpcleanupulp+0x6e/0x110 tcpv4destroysock+0x5a/0x3a0 inetcskdestroysock+0x135/0x390 tcpfin+0x416/0x5c0 tcpdataqueue+0x1bc8/0x4310 tcprcvstateprocess+0x15a3/0x47b0 tcpv4dorcv+0x2c1/0x990 tcpv4rcv+0x41fb/0x5ed0 ipprotocoldeliverrcu+0x6d/0x9f0 iplocaldeliverfinish+0x278/0x360 iplocaldeliver+0x182/0x2c0 iprcv+0xb5/0x1c0 _netifreceiveskbonecore+0x16e/0x1b0 processbacklog+0x1e3/0x650 _napipoll+0xa6/0x500 netrxaction+0x740/0xbb0 _dosoftirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) pagetype: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---