CVE-2024-26782 in Linuxinfo

Summary

by MITRE • 04/04/2024

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix double-free on socket dismantle

when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat:

BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0

CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b

Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76

Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4

The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0)

The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 08/03/2025

The vulnerability described in CVE-2024-26782 affects the Linux kernel's implementation of Multipath TCP (MPTCP) and stems from a flaw in how listener sockets are cloned during incoming connection handling. When an MPTCP server accepts a new connection, it clones the listener socket to create a new socket for the connection. However, the cloned socket inherits the same pointer to the `inet_opt` structure from the original socket. This shared reference causes a double-free condition when both the original and cloned socket are destroyed, leading to a kernel memory corruption scenario that manifests as a KASAN double-free error. The issue is particularly critical because it occurs during normal socket teardown operations, making it exploitable under specific conditions.

The technical root cause involves improper memory management within the MPTCP subsystem. During socket creation, the `inet_opt` pointer is copied without proper reference counting or duplication, causing both sockets to point to the same memory region. When the kernel attempts to free this memory during socket destruction, the `inet_sock_destruct` function is invoked twice on the same memory address, triggering a double-free error as reported by KASAN. The stack trace demonstrates that the error occurs during the destruction sequence of TCP sockets, specifically when `tcp_v4_destroy_sock` calls `inet_csk_destroy_sock` which eventually leads to `inet_sock_destruct` attempting to free memory that has already been freed. This vulnerability aligns with CWE-415, which describes double-free conditions in memory management, and is a direct consequence of improper resource handling in kernel-level socket operations.

The operational impact of this vulnerability extends beyond simple memory corruption, as it can lead to system instability, kernel panics, or potentially allow for privilege escalation depending on the exploitation context. Attackers could leverage this flaw to cause denial of service or potentially gain unauthorized access to kernel memory spaces. The double-free condition creates an opportunity for memory corruption that may be exploited to manipulate kernel data structures or execute arbitrary code with kernel privileges. Given that MPTCP is a key protocol for high-performance networking in modern Linux systems, this vulnerability affects a broad range of systems using MPTCP-enabled kernels. The vulnerability is particularly concerning in server environments where continuous socket operations and connection handling are common, as it can be triggered through normal network activity without requiring special privileges.

Mitigation strategies should focus on applying the kernel patch that resolves the double-free issue by ensuring proper duplication of the `inet_opt` structure during socket cloning. The fix typically involves modifying the MPTCP socket cloning logic to properly allocate and reference new `inet_opt` structures instead of sharing references. System administrators should update to kernel versions containing the patched code, which is expected to be included in the 6.8 stable release. Additionally, monitoring for KASAN reports and kernel oops messages can help detect exploitation attempts. While waiting for patches, administrators can disable MPTCP functionality through kernel parameters or module loading controls, though this impacts network performance and functionality. The vulnerability demonstrates the importance of rigorous memory management practices in kernel code, particularly when dealing with shared resources and complex socket operations, and serves as a reminder of the critical nature of proper reference counting in kernel subsystems.

Reservation

02/19/2024

Disclosure

04/04/2024

Moderation

accepted

CPE

ready

EPSS

0.00240

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!