{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-26865","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.184Z","datePublished":"2024-04-17T10:27:27.522Z","dateUpdated":"2025-05-04T08:58:22.898Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:58:22.898Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrds: tcp: Fix use-after-free of net in reqsk_timer_handler().\n\nsyzkaller reported a warning of netns tracker [0] followed by KASAN\nsplat [1] and another ref tracker warning [1].\n\nsyzkaller could not find a repro, but in the log, the only suspicious\nsequence was as follows:\n\n  18:26:22 executing program 1:\n  r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)\n  ...\n  connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async)\n\nThe notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT.\n\nSo, the scenario would be:\n\n  1. unshare(CLONE_NEWNET) creates a per netns tcp listener in\n      rds_tcp_listen_init().\n  2. syz-executor connect()s to it and creates a reqsk.\n  3. syz-executor exit()s immediately.\n  4. netns is dismantled.  [0]\n  5. reqsk timer is fired, and UAF happens while freeing reqsk.  [1]\n  6. listener is freed after RCU grace period.  [2]\n\nBasically, reqsk assumes that the listener guarantees netns safety\nuntil all reqsk timers are expired by holding the listener's refcount.\nHowever, this was not the case for kernel sockets.\n\nCommit 740ea3c4a0b2 (\"tcp: Clean up kernel listener's reqsk in\ninet_twsk_purge()\") fixed this issue only for per-netns ehash.\n\nLet's apply the same fix for the global ehash.\n\n[0]:\nref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at\n     sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146)\n     inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119)\n     __sock_create (net/socket.c:1572)\n     rds_tcp_listen_init (net/rds/tcp_listen.c:279)\n     rds_tcp_init_net (net/rds/tcp.c:577)\n     ops_init (net/core/net_namespace.c:137)\n     setup_net (net/core/net_namespace.c:340)\n     copy_net_ns (net/core/net_namespace.c:497)\n     create_new_namespaces (kernel/nsproxy.c:110)\n     unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4))\n     ksys_unshare (kernel/fork.c:3429)\n     __x64_sys_unshare (kernel/fork.c:3496)\n     do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n     entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n...\nWARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)\n\n[1]:\nBUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\nRead of size 8 at addr ffff88801b370400 by task swapper/0/0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <IRQ>\n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n kasan_report (mm/kasan/report.c:603)\n inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\n reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038)\n run_timer_softirq (kernel/time/timer.c:2053)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))\n </IRQ>\n\nAllocated by task 258 on cpu 0 at 83.612050s:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:68)\n __kasan_slab_alloc (mm/kasan/common.c:343)\n kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867)\n copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_name\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/tcp_minisocks.c"],"versions":[{"version":"467fa15356acfb7b2efa38839c3e76caa4e6e0ea","lessThan":"9905a157048f441f1412e7bd13372f4a971d75c6","status":"affected","versionType":"git"},{"version":"467fa15356acfb7b2efa38839c3e76caa4e6e0ea","lessThan":"f901ee07853ce97e9f1104c7c898fbbe447f0279","status":"affected","versionType":"git"},{"version":"467fa15356acfb7b2efa38839c3e76caa4e6e0ea","lessThan":"9ceac040506a05a30b104b2aa2e9146810704500","status":"affected","versionType":"git"},{"version":"467fa15356acfb7b2efa38839c3e76caa4e6e0ea","lessThan":"1e9fd5cf8d7f487332560f7bb312fc7d416817f3","status":"affected","versionType":"git"},{"version":"467fa15356acfb7b2efa38839c3e76caa4e6e0ea","lessThan":"2a750d6a5b365265dbda33330a6188547ddb5c24","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/tcp_minisocks.c"],"versions":[{"version":"4.3","status":"affected"},{"version":"0","lessThan":"4.3","status":"unaffected","versionType":"semver"},{"version":"6.1.83","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.23","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.11","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8.2","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.1.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.6.23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.7.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.8.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9905a157048f441f1412e7bd13372f4a971d75c6"},{"url":"https://git.kernel.org/stable/c/f901ee07853ce97e9f1104c7c898fbbe447f0279"},{"url":"https://git.kernel.org/stable/c/9ceac040506a05a30b104b2aa2e9146810704500"},{"url":"https://git.kernel.org/stable/c/1e9fd5cf8d7f487332560f7bb312fc7d416817f3"},{"url":"https://git.kernel.org/stable/c/2a750d6a5b365265dbda33330a6188547ddb5c24"}],"title":"rds: tcp: Fix use-after-free of net in reqsk_timer_handler().","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-06-17T19:18:52.275032Z","id":"CVE-2024-26865","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-17T19:19:00.459Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:21:04.158Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/9905a157048f441f1412e7bd13372f4a971d75c6","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/f901ee07853ce97e9f1104c7c898fbbe447f0279","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/9ceac040506a05a30b104b2aa2e9146810704500","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/1e9fd5cf8d7f487332560f7bb312fc7d416817f3","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/2a750d6a5b365265dbda33330a6188547ddb5c24","tags":["x_transferred"]}]}]}}