CVE-2024-35910

tcp: properly terminate timers for kernel sockets

Severity Score

5.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

tcp: properly terminate timers for kernel sockets

We had various syzbot reports about tcp timers firing after
the corresponding netns has been dismantled.

Fortunately Josef Bacik could trigger the issue more often,
and could test a patch I wrote two years ago.

When TCP sockets are closed, we call inet_csk_clear_xmit_timers()
to 'stop' the timers.

inet_csk_clear_xmit_timers() can be called from any context,
including when socket lock is held.
This is the reason it uses sk_stop_timer(), aka del_timer().
This means that ongoing timers might finish much later.

For user sockets, this is fine because each running timer
holds a reference on the socket, and the user socket holds
a reference on the netns.

For kernel sockets, we risk that the netns is freed before
timer can complete, because kernel sockets do not hold
reference on the netns.

This patch adds inet_csk_clear_xmit_timers_sync() function
that using sk_stop_timer_sync() to make sure all timers
are terminated before the kernel socket is released.
Modules using kernel sockets close them in their netns exit()
handler.

Also add sock_not_owned_by_me() helper to get LOCKDEP
support : inet_csk_clear_xmit_timers_sync() must not be called
while socket lock is held.

It is very possible we can revert in the future commit
3a58f13a881e ("net: rds: acquire refcount on TCP sockets")
which attempted to solve the issue in rds only.
(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)

We probably can remove the check_net() tests from
tcp_out_of_resources() and __tcp_close() in the future.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: termina correctamente los temporizadores para los sockets del kernel. Recibimos varios informes de syzbot sobre los temporizadores tcp que se activan después de que se han desmantelado las redes correspondientes. Afortunadamente, Josef Bacik pudo provocar el problema con más frecuencia y pudo probar un parche que escribí hace dos años. Cuando los sockets TCP están cerrados, llamamos a inet_csk_clear_xmit_timers() para "detener" los temporizadores. Se puede llamar a inet_csk_clear_xmit_timers() desde cualquier contexto, incluso cuando se mantiene el bloqueo del socket. Esta es la razón por la que usa sk_stop_timer(), también conocido como del_timer(). Esto significa que los cronómetros en curso podrían finalizar mucho más tarde. Para los sockets de usuario, esto está bien porque cada temporizador en ejecución tiene una referencia en el socket, y el socket de usuario tiene una referencia en las redes. Para los sockets del kernel, corremos el riesgo de que la red se libere antes de que se complete el temporizador, porque los sockets del kernel no mantienen referencias en las redes. Este parche agrega la función inet_csk_clear_xmit_timers_sync() que usa sk_stop_timer_sync() para garantizar que todos los temporizadores finalicen antes de que se libere el socket del kernel. Los módulos que utilizan sockets del kernel los cierran en su controlador netns exit(). También agregue el asistente sock_not_owned_by_me() para obtener soporte LOCKDEP: no se debe llamar a inet_csk_clear_xmit_timers_sync() mientras se mantiene el bloqueo del socket. Es muy posible que podamos revertir en el futuro la confirmación 3a58f13a881e ("net: rds: adquirir refcount en sockets TCP") que intentó resolver el problema solo en rds. (net/smc/af_smc.c y net/mptcp/subflow.c tienen código similar) Probablemente podamos eliminar las pruebas check_net() de tcp_out_of_resources() y __tcp_close() en el futuro.

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.8

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-19 CVE Published
2024-05-20 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (13)

URL	Tag	Source
https://git.kernel.org/stable/c/8a68173691f036613e3d4e6bf8dc129d4a7bf383	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50	2024-04-13
https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f	2024-04-13
https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810	2024-04-13
https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4	2024-04-10
https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de	2024-04-10
https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87	2024-04-10
https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a	2024-04-10
https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada	2024-03-26

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-35910	2024-08-13
https://bugzilla.redhat.com/show_bug.cgi?id=2281641	2024-08-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 4.19.312 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.19.312"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 5.4.274 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 5.4.274"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 5.10.215"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 5.15.154"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 6.1.85 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.1.85"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 6.6.26 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.6.26"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 6.8.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.8.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.9"		en		Affected