{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-26732","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.165Z","datePublished":"2024-04-03T17:00:19.722Z","dateUpdated":"2025-05-04T08:55:09.239Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:55:09.239Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: implement lockless setsockopt(SO_PEEK_OFF)\n\nsyzbot reported a lockdep violation [1] involving af_unix\nsupport of SO_PEEK_OFF.\n\nSince SO_PEEK_OFF is inherently not thread safe (it uses a per-socket\nsk_peek_off field), there is really no point to enforce a pointless\nthread safety in the kernel.\n\nAfter this patch :\n\n- setsockopt(SO_PEEK_OFF) no longer acquires the socket lock.\n\n- skb_consume_udp() no longer has to acquire the socket lock.\n\n- af_unix no longer needs a special version of sk_set_peek_off(),\n  because it does not lock u->iolock anymore.\n\nAs a followup, we could replace prot->set_peek_off to be a boolean\nand avoid an indirect call, since we always use sk_set_peek_off().\n\n[1]\n\nWARNING: possible circular locking dependency detected\n6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0 Not tainted\n\nsyz-executor.2/30025 is trying to acquire lock:\n ffff8880765e7d80 (&u->iolock){+.+.}-{3:3}, at: unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789\n\nbut task is already holding lock:\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (sk_lock-AF_UNIX){+.+.}-{0:0}:\n        lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n        lock_sock_nested+0x48/0x100 net/core/sock.c:3524\n        lock_sock include/net/sock.h:1691 [inline]\n        __unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415\n        sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046\n        ____sys_recvmsg+0x3c0/0x470 net/socket.c:2801\n        ___sys_recvmsg net/socket.c:2845 [inline]\n        do_recvmmsg+0x474/0xae0 net/socket.c:2939\n        __sys_recvmmsg net/socket.c:3018 [inline]\n        __do_sys_recvmmsg net/socket.c:3041 [inline]\n        __se_sys_recvmmsg net/socket.c:3034 [inline]\n        __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n       do_syscall_64+0xf9/0x240\n       entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\n-> #0 (&u->iolock){+.+.}-{3:3}:\n        check_prev_add kernel/locking/lockdep.c:3134 [inline]\n        check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n        validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\n        __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\n        lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n        __mutex_lock_common kernel/locking/mutex.c:608 [inline]\n        __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752\n        unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789\n       sk_setsockopt+0x207e/0x3360\n        do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307\n        __sys_setsockopt+0x1ad/0x250 net/socket.c:2334\n        __do_sys_setsockopt net/socket.c:2343 [inline]\n        __se_sys_setsockopt net/socket.c:2340 [inline]\n        __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n       do_syscall_64+0xf9/0x240\n       entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n       CPU0                    CPU1\n       ----                    ----\n  lock(sk_lock-AF_UNIX);\n                               lock(&u->iolock);\n                               lock(sk_lock-AF_UNIX);\n  lock(&u->iolock);\n\n *** DEADLOCK ***\n\n1 lock held by syz-executor.2/30025:\n  #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]\n  #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]\n  #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193\n\nstack backtrace:\nCPU: 0 PID: 30025 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0\nHardware name: Google Google C\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/sock.c","net/ipv4/udp.c","net/unix/af_unix.c"],"versions":[{"version":"859051dd165ec6cc915f0f2114699021144fd249","lessThan":"897f75e2cde8a5f9f7529b55249af1fa4248c83b","status":"affected","versionType":"git"},{"version":"859051dd165ec6cc915f0f2114699021144fd249","lessThan":"56667da7399eb19af857e30f41bea89aa6fa812c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/sock.c","net/ipv4/udp.c","net/unix/af_unix.c"],"versions":[{"version":"6.7","status":"affected"},{"version":"0","lessThan":"6.7","status":"unaffected","versionType":"semver"},{"version":"6.7.7","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/897f75e2cde8a5f9f7529b55249af1fa4248c83b"},{"url":"https://git.kernel.org/stable/c/56667da7399eb19af857e30f41bea89aa6fa812c"}],"title":"net: implement lockless setsockopt(SO_PEEK_OFF)","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-06-17T19:28:35.916343Z","id":"CVE-2024-26732","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-17T19:28:53.102Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:14:12.930Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/897f75e2cde8a5f9f7529b55249af1fa4248c83b","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/56667da7399eb19af857e30f41bea89aa6fa812c","tags":["x_transferred"]}]}]}}