oob_skb if the socket still exists in gc_candidates after purging collected skb. Then, we need to set NULL to oob_skb before calling kfree_skb() because it calls last fput() and triggers unix_release_sock(), where we call duplicate kfree_skb(u->oob_skb) if not NULL. Note that the leaked socket remained being linked to a global list, so kmemleak also could not detect it. We need to check /proc/net/protocol to notice the unfreed socket. [0]: WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345 Modules linked in: CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events_unbound __unix_gc RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345 Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8 RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30 RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66 R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000 R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: process_one_work+0x889/0x15e0 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787 kthread+0x2c6/0x3b0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 "> oob_skb if,the,socket,still,exists,in,gc_candidates,after,purging,collected skb.,Then,,we,need,to,set,NULL,to,oob_skb,before,calling,kfree_skb() because,it,calls,last,fput(),and,triggers,unix_release_sock(),,where we,call,duplicate,kfree_skb(u->oob_skb),if,not,NULL.,Note,that,the leaked,socket,remained,being,linked,to,a,global,list,,so,kmemleak,also could,not,detect,it.,We,need,to,check,/proc/net/protocol,to,notice,the unfreed,socket.,[0]:,WARNING:,CPU:,0,PID:,2863,at net/unix/garbage.c:345,__unix_gc+0xc74/0xe80,net/unix/garbage.c:345 Modules,linked,in:,CPU:,0,PID:,2863,Comm:,kworker/u4:11,Not,tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02,#0,Hardware,name:,Google Google,Compute,Engine/Google,Compute,Engine,,BIOS,Google,01/25/2024 Workqueue:,events_unbound,__unix_gc,RIP:,0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345,Code:,8b,5c,24,50,e9,86,f8,ff,ff,e8,f8,e4,22,f8 31,d2,48,c7,c6,30,6a,69,89,4c,89,ef,e8,97,ef,ff,ff,e9,80,f9,ff,ff,e8 dd,e4,22,f8,90,<0f>,0b,90,e9,7b,fd,ff,ff,48,89,df,e8,5c,e7,7c,f8,e9,d3 f8,ff,ff,e8,RSP:,0018:ffffc9000b03fba0,EFLAGS:,00010293,RAX: 0000000000000000,RBX:,ffffc9000b03fc10,RCX:,ffffffff816c493e,RDX: ffff88802c02d940,RSI:,ffffffff896982f3,RDI:,ffffc9000b03fb30,RBP: ffffc9000b03fce0,R08:,0000000000000001,R09:,fffff52001607f66,R10: 0000000000000003,R11:,0000000000000002,R12:,dffffc0000000000,R13: ffffc9000b03fc10,R14:,ffffc9000b03fc10,R15:,0000000000000001,FS: 0000000000000000(0000),GS:ffff8880b9400000(0000) knlGS:0000000000000000,CS:,0010,DS:,0000,ES:,0000,CR0: 0000000080050033,CR2:,00005559c8677a60,CR3:,000000000d57a000,CR4: 00000000003506f0,DR0:,0000000000000000,DR1:,0000000000000000,DR2: 0000000000000000,DR3:,0000000000000000,DR6:,00000000fffe0ff0,DR7: 0000000000000400,Call,Trace:,,process_one_work+0x889/0x15e0 kernel/workqueue.c:2633,process_scheduled_works kernel/workqueue.c:2706,[inline],worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787,kthread+0x2c6/0x3b0,kernel/kthread.c:388 ret_from_fork+0x45/0x80,arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30,arch/x86/entry/entry_64.S:242, "> SecuritySpace - CVE-2024-26676
 
English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 146377 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

CVE ID:CVE-2024-26676
Description:In the Linux kernel, the following vulnerability has been resolved: af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. syzbot reported a warning [0] in __unix_gc() with a repro, which creates a socketpair and sends one socket's fd to itself using the peer. socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}], msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[3]}], msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1 This forms a self-cyclic reference that GC should finally untangle but does not due to lack of MSG_OOB handling, resulting in memory leak. Recently, commit 11498715f266 ("af_unix: Remove io_uring code for GC.") removed io_uring's dead code in GC and revealed the problem. The code was executed at the final stage of GC and unconditionally moved all GC candidates from gc_candidates to gc_inflight_list. That papered over the reported problem by always making the following WARN_ON_ONCE(!list_empty(&gc_candidates)) false. The problem has been there since commit 2aab4b969002 ("af_unix: fix struct pid leaks in OOB support") added full scm support for MSG_OOB while fixing another bug. To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb if the socket still exists in gc_candidates after purging collected skb. Then, we need to set NULL to oob_skb before calling kfree_skb() because it calls last fput() and triggers unix_release_sock(), where we call duplicate kfree_skb(u->oob_skb) if not NULL. Note that the leaked socket remained being linked to a global list, so kmemleak also could not detect it. We need to check /proc/net/protocol to notice the unfreed socket. [0]: WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345 Modules linked in: CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events_unbound __unix_gc RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345 Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8 RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30 RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66 R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000 R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: process_one_work+0x889/0x15e0 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787 kthread+0x2c6/0x3b0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
Test IDs: None available
Cross References: Common Vulnerability Exposure (CVE) ID: CVE-2024-26676
https://git.kernel.org/stable/c/1279f9d9dec2d7462823a18c29ad61359e0a007d
https://git.kernel.org/stable/c/1279f9d9dec2d7462823a18c29ad61359e0a007d
https://git.kernel.org/stable/c/4fe505c63aa3273135a57597fda761e9aecc7668
https://git.kernel.org/stable/c/4fe505c63aa3273135a57597fda761e9aecc7668
https://git.kernel.org/stable/c/82ae47c5c3a6b27fdc0f9e83c1499cb439c56140
https://git.kernel.org/stable/c/82ae47c5c3a6b27fdc0f9e83c1499cb439c56140
https://git.kernel.org/stable/c/b74aa9ce13d02b7fd37c5325b99854f91b9b4276
https://git.kernel.org/stable/c/b74aa9ce13d02b7fd37c5325b99854f91b9b4276
https://git.kernel.org/stable/c/e0e09186d8821ad59806115d347ea32efa43ca4b
https://git.kernel.org/stable/c/e0e09186d8821ad59806115d347ea32efa43ca4b



© 1998-2025 E-Soft Inc. All rights reserved.