CVE-2024-26750 in Linux
Summary
by MITRE • 04/04/2024
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Drop oob_skb ref before purging queue in GC.
syzbot reported another task hung in __unix_gc(). [0]
The current while loop assumes that all of the left candidates have oob_skb and calling kfree_skb(oob_skb) releases the remaining candidates.
However, I missed a case that oob_skb has self-referencing fd and another fd and the latter sk is placed before the former in the candidate list. Then, the while loop never proceeds, resulting the task hung.
__unix_gc() has the same loop just before purging the collected skb, so we can call kfree_skb(oob_skb) there and let __skb_queue_purge() release all inflight sockets.
[0]:
Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events_unbound __unix_gc RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200 Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70 RSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287 RAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 RBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84 R10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee R13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __unix_gc+0xe69/0xf40 net/unix/garbage.c:343 process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706 worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787 kthread+0x2ef/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/03/2025
The vulnerability CVE-2024-26750 affects the Linux kernel's Unix domain socket implementation, specifically within the garbage collection mechanism for out-of-band data sockets. This issue manifests as a potential deadlock or system hang during the cleanup of Unix domain socket resources. The problem occurs in the __unix_gc() function which manages the garbage collection of sockets that have been marked for deletion but still contain out-of-band data structures known as oob_skb. The flaw arises from an incorrect assumption in the code's loop logic that all remaining candidate sockets will have associated oob_skb structures, leading to an infinite loop when the queue contains sockets with self-referencing file descriptors in a specific ordering. This vulnerability directly relates to CWE-835, which deals with loops that do not contain a re-initialization or termination condition, and can be categorized under ATT&CK technique T1499.1 for resource exhaustion through system instability. The reported hang occurs during kernel workqueue execution in the events_unbound context, indicating that the system becomes unresponsive while attempting to clean up Unix domain socket resources. The root cause stems from a logic error where the cleanup process fails to properly release references to socket buffers, particularly when dealing with complex file descriptor relationships. When a socket contains both self-referencing and regular file descriptors, and the order of processing places the regular socket before the self-referencing one, the loop condition never progresses, causing the kernel thread to remain indefinitely in the garbage collection routine. This represents a critical stability issue that can lead to complete system hang or denial of service in environments heavily utilizing Unix domain sockets. The fix implemented moves the kfree_skb() call to occur before the queue purge operation, ensuring that all socket buffer references are properly released before the remaining queue elements are processed by __skb_queue_purge(). This change prevents the infinite loop by ensuring proper reference counting and resource cleanup, thereby resolving the task hanging issue reported by syzbot. The vulnerability highlights the importance of proper resource management in kernel-level code, particularly when dealing with complex data structures and reference counting mechanisms. It demonstrates how subtle ordering issues in cleanup routines can lead to catastrophic system failures, emphasizing the need for rigorous testing of edge cases in kernel subsystems. The fix ensures that socket buffer references are properly handled regardless of the order in which file descriptors are processed, maintaining system stability during normal operation and preventing malicious exploitation that could leverage this condition to cause system hangs or resource exhaustion. This vulnerability impacts all Linux kernel versions that include the affected Unix domain socket garbage collection code, particularly those running systems with high socket usage or those utilizing Unix domain socket communication patterns that involve complex file descriptor relationships.