-

CVE-2024-26923

In the Linux kernel, the following vulnerability has been resolved:

af_unix: Fix garbage collector racing against connect()

Garbage collector does not take into account the risk of embryo getting
enqueued during the garbage collection. If such embryo has a peer that
carries SCM_RIGHTS, two consecutive passes of scan_children() may see a
different set of children. Leading to an incorrectly elevated inflight
count, and then a dangling pointer within the gc_inflight_list.

sockets are AF_UNIX/SOCK_STREAM
S is an unconnected socket
L is a listening in-flight socket bound to addr, not in fdtable
V's fd will be passed via sendmsg(), gets inflight count bumped

connect(S, addr)	sendmsg(S, [V]); close(V)	__unix_gc()
----------------	-------------------------	-----------

NS = unix_create1()
skb1 = sock_wmalloc(NS)
L = unix_find_other(addr)
unix_state_lock(L)
unix_peer(S) = NS
			// V count=1 inflight=0

 			NS = unix_peer(S)
 			skb2 = sock_alloc()
			skb_queue_tail(NS, skb2[V])

			// V became in-flight
			// V count=2 inflight=1

			close(V)

			// V count=1 inflight=1
			// GC candidate condition met

						for u in gc_inflight_list:
						  if (total_refs == inflight_refs)
						    add u to gc_candidates

						// gc_candidates={L, V}

						for u in gc_candidates:
						  scan_children(u, dec_inflight)

						// embryo (skb1) was not
						// reachable from L yet, so V's
						// inflight remains unchanged
__skb_queue_tail(L, skb1)
unix_state_unlock(L)
						for u in gc_candidates:
						  if (u.inflight)
						    scan_children(u, inc_inflight_move_tail)

						// V count=1 inflight=2 (!)

If there is a GC-candidate listening socket, lock/unlock its state. This
makes GC wait until the end of any ongoing connect() to that socket. After
flipping the lock, a possibly SCM-laden embryo is already enqueued. And if
there is another embryo coming, it can not possibly carry SCM_RIGHTS. At
this point, unix_inflight() can not happen because unix_gc_lock is already
taken. Inflight graph remains unaffected.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < a36ae0ec2353015f0f6762e59f4c2dbc0c906423
Version 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9
Status affected
Version < 343c5372d5e17b306db5f8f3c895539b06e3177f
Version 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9
Status affected
Version < 2e2a03787f4f0abc0072350654ab0ef3324d9db3
Version 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9
Status affected
Version < e76c2678228f6aec74b305ae30c9374cc2f28a51
Version 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9
Status affected
Version < b75722be422c276b699200de90527d01c602ea7c
Version 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9
Status affected
Version < 507cc232ffe53a352847893f8177d276c3b532a9
Version 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9
Status affected
Version < dbdf7bec5c920200077d693193f989cb1513f009
Version 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9
Status affected
Version < 47d8ac011fe1c9251070e1bd64cb10b48193ec51
Version 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 2.6.23
Status affected
Version < 2.6.23
Version 0
Status unaffected
Version <= 4.19.*
Version 4.19.314
Status unaffected
Version <= 5.4.*
Version 5.4.275
Status unaffected
Version <= 5.10.*
Version 5.10.216
Status unaffected
Version <= 5.15.*
Version 5.15.156
Status unaffected
Version <= 6.1.*
Version 6.1.87
Status unaffected
Version <= 6.6.*
Version 6.6.28
Status unaffected
Version <= 6.8.*
Version 6.8.7
Status unaffected
Version <= *
Version 6.9
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.08% 0.248
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String