CVE-2024-26923

af_unix: Fix garbage collector racing against connect()

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

af_unix: Fix garbage collector racing against connect()

Garbage collector does not take into account the risk of embryo getting
enqueued during the garbage collection. If such embryo has a peer that
carries SCM_RIGHTS, two consecutive passes of scan_children() may see a
different set of children. Leading to an incorrectly elevated inflight
count, and then a dangling pointer within the gc_inflight_list.

sockets are AF_UNIX/SOCK_STREAM
S is an unconnected socket
L is a listening in-flight socket bound to addr, not in fdtable
V's fd will be passed via sendmsg(), gets inflight count bumped

connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc()
---------------- ------------------------- -----------

NS = unix_create1()
skb1 = sock_wmalloc(NS)
L = unix_find_other(addr)
unix_state_lock(L)
unix_peer(S) = NS
// V count=1 inflight=0

NS = unix_peer(S)
skb2 = sock_alloc()
skb_queue_tail(NS, skb2[V])

// V became in-flight
// V count=2 inflight=1

close(V)

// V count=1 inflight=1
// GC candidate condition met

for u in gc_inflight_list:
if (total_refs == inflight_refs)
add u to gc_candidates

// gc_candidates={L, V}

for u in gc_candidates:
scan_children(u, dec_inflight)

// embryo (skb1) was not
// reachable from L yet, so V's
// inflight remains unchanged
__skb_queue_tail(L, skb1)
unix_state_unlock(L)
for u in gc_candidates:
if (u.inflight)
scan_children(u, inc_inflight_move_tail)

// V count=1 inflight=2 (!)

If there is a GC-candidate listening socket, lock/unlock its state. This
makes GC wait until the end of any ongoing connect() to that socket. After
flipping the lock, a possibly SCM-laden embryo is already enqueued. And if
there is another embryo coming, it can not possibly carry SCM_RIGHTS. At
this point, unix_inflight() can not happen because unix_gc_lock is already
taken. Inflight graph remains unaffected.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: af_unix: corrige la ejecución del recolector de basura contra connect() El recolector de basura no tiene en cuenta el riesgo de que el embrión quede en cola durante la recolección de basura. Si dicho embrión tiene un par que porta SCM_RIGHTS, dos pases consecutivos de scan_children() pueden ver un conjunto diferente de niños. Lo que lleva a un recuento en vuelo elevado incorrectamente y luego a un puntero colgante dentro de gc_inflight_list. los sockets son AF_UNIX/SOCK_STREAM S es un socket no conectado L es un socket de escucha en vuelo vinculado a addr, no en fdtable El fd de V se pasará a través de sendmsg(), se aumenta el recuento en vuelo connect(S, addr) sendmsg(S, [ V]); cerrar(V) __unix_gc() ---------- ------------------------- -- --------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 en vuelo=0 NS = unix_peer(S ) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V se convirtió en vuelo // V recuento=2 en vuelo=1 close(V) // V recuento=1 en vuelo=1 // Condición candidata de GC cumplida para u en gc_inflight_list: if (total_refs == inflight_refs) agregue u a gc_candidates // gc_candidates={L, V} para u en gc_candidates: scan_children(u, dec_inflight) // el embrión (skb1) aún no era // accesible desde L , por lo que V's // en vuelo permanece sin cambios __skb_queue_tail(L, skb1) unix_state_unlock(L) para u en gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) Si hay un socket de escucha candidato a GC, bloquear/desbloquear su estado. Esto hace que GC espere hasta el final de cualquier conexión () en curso a ese socket. Después de girar la cerradura, un embrión posiblemente cargado de SCM ya está en cola. Y si viene otro embrión, no es posible que porte SCM_RIGHTS. En este punto, unix_inflight() no puede ocurrir porque unix_gc_lock ya está en uso. El gráfico a bordo no se ve afectado.

A flaw was found in the Linux kernel, where the management of inter-process communication uses AF_UNIX sockets. The issue arises from a race condition where a partially initialized socket with specific permissions carrying SCM_RIGHTS is improperly handled during garbage collection. This situation leads to an incorrect count of active sockets, potentially causing resources to remain unaccounted for and never released.

*Credits: N/A

CVSS Scores

Red Hatv3.1 7.0

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-24 CVE Published
2024-05-03 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (13)

URL	Tag	Source
https://git.kernel.org/stable/c/1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423	2024-05-17
https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f	2024-05-02
https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3	2024-05-02
https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51	2024-04-17
https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c	2024-04-17
https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9	2024-04-17
https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009	2024-04-17
https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51	2024-04-11

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26923	2024-09-24
https://bugzilla.redhat.com/show_bug.cgi?id=2277171	2024-09-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 4.19.314 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 4.19.314"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 5.4.275 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 5.4.275"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 5.10.216 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 5.10.216"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 5.15.156 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 5.15.156"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 6.1.87 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 6.1.87"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 6.6.28 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 6.6.28"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 6.8.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 6.8.7"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 6.9"		en		Affected