CVE-2024-26780 in Linuxinfo

Summary

by MITRE • 04/04/2024

In the Linux kernel, the following vulnerability has been resolved:

af_unix: Fix task hung while purging oob_skb in GC.

syzbot reported a task hung; at the same time, GC was looping infinitely in list_for_each_entry_safe() for OOB skb. [0]

syzbot demonstrated that the list_for_each_entry_safe() was not actually safe in this case.

A single skb could have references for multiple sockets. If we free such a skb in the list_for_each_entry_safe(), the current and next sockets could be unlinked in a single iteration.

unix_notinflight() uses list_del_init() to unlink the socket, so the prefetched next socket forms a loop itself and list_for_each_entry_safe() never stops.

Here, we must use while() and make sure we always fetch the first socket.

[0]:
Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]
RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207 Code: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74 RSP: 0018:ffffc900033efa58 EFLAGS: 00000283 RAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189 RDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70 RBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c R10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800 R13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: unix_gc+0x563/0x13b0 net/unix/garbage.c:319 unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683 unix_release+0x91/0xf0 net/unix/af_unix.c:1064 __sock_release+0xb0/0x270 net/socket.c:659 sock_close+0x1c/0x30 net/socket.c:1421 __fput+0x270/0xb80 fs/file_table.c:376 task_work_run+0x14f/0x250 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa8a/0x2ad0 kernel/exit.c:871 do_group_exit+0xd4/0x2a0 kernel/exit.c:1020 __do_sys_exit_group kernel/exit.c:1031 [inline]
__se_sys_exit_group kernel/exit.c:1029 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f9d6cbdac09 Code: Unable to access opcode bytes at 0x7f9d6cbdabdf. RSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006 R10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0 R13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 08/03/2025

The vulnerability CVE-2024-26780 resides within the Linux kernel's implementation of the AF_UNIX socket family, specifically in the garbage collection mechanism responsible for purging out-of-band socket buffers. This flaw manifests as an infinite loop during garbage collection when processing out-of-band socket control blocks, leading to a complete system hang or task deadlock. The root cause stems from improper handling of list traversal during the cleanup of socket buffers, where a single socket buffer can be referenced by multiple sockets. When the garbage collection process attempts to free such a buffer using list_for_each_entry_safe(), it inadvertently creates a circular reference scenario. The unix_notinflight() function, which employs list_del_init() to unlink sockets, causes the next socket in the list to become part of a self-referential loop, thereby breaking the expected behavior of list_for_each_entry_safe() which is designed to safely traverse and modify lists. This issue directly relates to CWE-691, which denotes an Insufficient Control Flow Management, and maps to ATT&CK technique T1499.100, specifically the exploitation of resource exhaustion through system hangs or deadlocks. The vulnerability was identified by syzbot, a fuzzing-based testing tool, which demonstrated that the infinite loop occurs in the unix_gc function within net/unix/garbage.c at line 319, where the list traversal fails to properly advance to the next element due to the circular reference created by the list_del_init() operation. The system state shows that a task becomes stuck in the garbage collection loop, preventing proper socket cleanup and potentially leading to resource exhaustion. The fix involves replacing the list_for_each_entry_safe() loop with a while() loop that ensures the first socket in the list is always properly fetched and processed, thereby preventing the circular reference issue. This change aligns with best practices for list traversal in kernel code and addresses the fundamental flaw in how multiple socket references to a single buffer are handled during cleanup operations. The vulnerability impacts systems running Linux kernel versions where the AF_UNIX socket garbage collection is active, particularly those with high socket buffer usage or concurrent socket operations. It represents a critical security concern as it can be exploited to cause denial of service conditions, potentially leading to complete system unresponsiveness or forced reboots, making it a significant target for malicious actors seeking to disrupt system availability. The fix ensures that socket buffer cleanup operations proceed correctly even when multiple sockets reference the same buffer, maintaining system stability and preventing the infinite loop condition that leads to task hangs. This vulnerability exemplifies the complexities involved in kernel-level memory management and the critical importance of proper list handling in concurrent systems, where improper reference management can lead to system-wide failures.

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!