vulnerability

Ubuntu: (Multiple Advisories) (CVE-2024-36938): Linux kernel vulnerabilities

Try Surface Command
Back to search
Severity
5
CVSS
(AV:L/AC:L/Au:S/C:N/I:N/A:C)
Published
05/30/2024
Added
08/09/2024
Modified
01/30/2025

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue

Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which
syzbot reported [1].

[1]
BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue

write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:
sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]
sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843
sk_psock_put include/linux/skmsg.h:459 [inline]
sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648
unix_release+0x4b/0x80 net/unix/af_unix.c:1048
__sock_release net/socket.c:659 [inline]
sock_close+0x68/0x150 net/socket.c:1421
__fput+0x2c1/0x660 fs/file_table.c:422
__fput_sync+0x44/0x60 fs/file_table.c:507
__do_sys_close fs/open.c:1556 [inline]
__se_sys_close+0x101/0x1b0 fs/open.c:1541
__x64_sys_close+0x1f/0x30 fs/open.c:1541
do_syscall_64+0xd3/0x1d0
entry_SYSCALL_64_after_hwframe+0x6d/0x75

read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:
sk_psock_data_ready include/linux/skmsg.h:464 [inline]
sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555
sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606
sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]
sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202
unix_read_skb net/unix/af_unix.c:2546 [inline]
unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682
sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223
unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x140/0x180 net/socket.c:745
____sys_sendmsg+0x312/0x410 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmsg+0x1e9/0x280 net/socket.c:2667
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x46/0x50 net/socket.c:2674
do_syscall_64+0xd3/0x1d0
entry_SYSCALL_64_after_hwframe+0x6d/0x75

value changed: 0xffffffff83d7feb0 -> 0x0000000000000000

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024

Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer
dereference in sk_psock_verdict_data_ready()") fixed one NULL pointer
similarly due to no protection of saved_data_ready. Here is another
different caller causing the same issue because of the same reason. So
we should protect it with sk_callback_lock read lock because the writer
side in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);".

To avoid errors that could happen in future, I move those two pairs of
lock into the sk_psock_data_ready(), which is suggested by John Fastabend.

Solution(s)

ubuntu-upgrade-linux-image-5-15-0-1035-xilinx-zynqmpubuntu-upgrade-linux-image-5-15-0-1050-gkeopubuntu-upgrade-linux-image-5-15-0-1060-ibmubuntu-upgrade-linux-image-5-15-0-1060-raspiubuntu-upgrade-linux-image-5-15-0-1062-intel-iotgubuntu-upgrade-linux-image-5-15-0-1062-nvidiaubuntu-upgrade-linux-image-5-15-0-1062-nvidia-lowlatencyubuntu-upgrade-linux-image-5-15-0-1064-gkeubuntu-upgrade-linux-image-5-15-0-1064-kvmubuntu-upgrade-linux-image-5-15-0-1065-oracleubuntu-upgrade-linux-image-5-15-0-1066-gcpubuntu-upgrade-linux-image-5-15-0-1067-awsubuntu-upgrade-linux-image-5-15-0-1070-azureubuntu-upgrade-linux-image-5-15-0-1070-azure-fdeubuntu-upgrade-linux-image-5-15-0-118-genericubuntu-upgrade-linux-image-5-15-0-118-generic-64kubuntu-upgrade-linux-image-5-15-0-118-generic-lpaeubuntu-upgrade-linux-image-5-15-0-118-lowlatencyubuntu-upgrade-linux-image-5-15-0-118-lowlatency-64kubuntu-upgrade-linux-image-5-4-0-1045-iotubuntu-upgrade-linux-image-5-4-0-1055-xilinx-zynqmpubuntu-upgrade-linux-image-5-4-0-1083-ibmubuntu-upgrade-linux-image-5-4-0-1096-bluefieldubuntu-upgrade-linux-image-5-4-0-1120-raspiubuntu-upgrade-linux-image-5-4-0-1124-kvmubuntu-upgrade-linux-image-5-4-0-1135-oracleubuntu-upgrade-linux-image-5-4-0-1136-awsubuntu-upgrade-linux-image-5-4-0-1140-gcpubuntu-upgrade-linux-image-5-4-0-1142-azureubuntu-upgrade-linux-image-5-4-0-202-genericubuntu-upgrade-linux-image-5-4-0-202-generic-lpaeubuntu-upgrade-linux-image-5-4-0-202-lowlatencyubuntu-upgrade-linux-image-6-8-0-1008-gkeubuntu-upgrade-linux-image-6-8-0-1009-raspiubuntu-upgrade-linux-image-6-8-0-1010-ibmubuntu-upgrade-linux-image-6-8-0-1010-oemubuntu-upgrade-linux-image-6-8-0-1010-oracleubuntu-upgrade-linux-image-6-8-0-1010-oracle-64kubuntu-upgrade-linux-image-6-8-0-1011-nvidiaubuntu-upgrade-linux-image-6-8-0-1011-nvidia-64kubuntu-upgrade-linux-image-6-8-0-1011-nvidia-lowlatencyubuntu-upgrade-linux-image-6-8-0-1011-nvidia-lowlatency-64kubuntu-upgrade-linux-image-6-8-0-1012-azureubuntu-upgrade-linux-image-6-8-0-1012-azure-fdeubuntu-upgrade-linux-image-6-8-0-1012-gcpubuntu-upgrade-linux-image-6-8-0-1013-awsubuntu-upgrade-linux-image-6-8-0-40-genericubuntu-upgrade-linux-image-6-8-0-40-generic-64kubuntu-upgrade-linux-image-6-8-0-40-lowlatencyubuntu-upgrade-linux-image-6-8-0-40-lowlatency-64kubuntu-upgrade-linux-image-awsubuntu-upgrade-linux-image-aws-lts-20-04ubuntu-upgrade-linux-image-aws-lts-22-04ubuntu-upgrade-linux-image-azureubuntu-upgrade-linux-image-azure-cvmubuntu-upgrade-linux-image-azure-fdeubuntu-upgrade-linux-image-azure-fde-lts-22-04ubuntu-upgrade-linux-image-azure-lts-20-04ubuntu-upgrade-linux-image-azure-lts-22-04ubuntu-upgrade-linux-image-bluefieldubuntu-upgrade-linux-image-gcpubuntu-upgrade-linux-image-gcp-lts-20-04ubuntu-upgrade-linux-image-gcp-lts-22-04ubuntu-upgrade-linux-image-genericubuntu-upgrade-linux-image-generic-64kubuntu-upgrade-linux-image-generic-64k-hwe-20-04ubuntu-upgrade-linux-image-generic-64k-hwe-24-04ubuntu-upgrade-linux-image-generic-hwe-18-04ubuntu-upgrade-linux-image-generic-hwe-20-04ubuntu-upgrade-linux-image-generic-hwe-24-04ubuntu-upgrade-linux-image-generic-lpaeubuntu-upgrade-linux-image-generic-lpae-hwe-20-04ubuntu-upgrade-linux-image-gkeubuntu-upgrade-linux-image-gke-5-15ubuntu-upgrade-linux-image-gkeopubuntu-upgrade-linux-image-gkeop-5-15ubuntu-upgrade-linux-image-ibmubuntu-upgrade-linux-image-ibm-classicubuntu-upgrade-linux-image-ibm-lts-20-04ubuntu-upgrade-linux-image-ibm-lts-24-04ubuntu-upgrade-linux-image-intelubuntu-upgrade-linux-image-intel-iotgubuntu-upgrade-linux-image-kvmubuntu-upgrade-linux-image-lowlatencyubuntu-upgrade-linux-image-lowlatency-64kubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04ubuntu-upgrade-linux-image-lowlatency-hwe-18-04ubuntu-upgrade-linux-image-lowlatency-hwe-20-04ubuntu-upgrade-linux-image-nvidiaubuntu-upgrade-linux-image-nvidia-6-8ubuntu-upgrade-linux-image-nvidia-64kubuntu-upgrade-linux-image-nvidia-64k-6-8ubuntu-upgrade-linux-image-nvidia-lowlatencyubuntu-upgrade-linux-image-nvidia-lowlatency-64kubuntu-upgrade-linux-image-oemubuntu-upgrade-linux-image-oem-20-04ubuntu-upgrade-linux-image-oem-20-04bubuntu-upgrade-linux-image-oem-20-04cubuntu-upgrade-linux-image-oem-20-04dubuntu-upgrade-linux-image-oem-24-04ubuntu-upgrade-linux-image-oem-24-04aubuntu-upgrade-linux-image-oem-osp1ubuntu-upgrade-linux-image-oracleubuntu-upgrade-linux-image-oracle-64kubuntu-upgrade-linux-image-oracle-lts-20-04ubuntu-upgrade-linux-image-oracle-lts-22-04ubuntu-upgrade-linux-image-raspiubuntu-upgrade-linux-image-raspi-hwe-18-04ubuntu-upgrade-linux-image-raspi-nolpaeubuntu-upgrade-linux-image-raspi2ubuntu-upgrade-linux-image-snapdragon-hwe-18-04ubuntu-upgrade-linux-image-virtualubuntu-upgrade-linux-image-virtual-hwe-18-04ubuntu-upgrade-linux-image-virtual-hwe-20-04ubuntu-upgrade-linux-image-virtual-hwe-24-04ubuntu-upgrade-linux-image-xilinx-zynqmp

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today