{"vulnerability": "CVE-2024-44946", "sightings": [{"uuid": "38b2aec7-ac8c-4199-9787-e83212d5bb96", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-44946", "type": "seen", "source": "https://t.me/cvedetector/4577", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-44946 - Linux KCM kcm_sendmsg() UAF\", \n \"Content\": \"CVE ID : CVE-2024-44946 \nPublished : Aug. 31, 2024, 2:15 p.m. | 25\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nkcm: Serialise kcm_sendmsg() for the same socket. \n \nsyzkaller reported UAF in kcm_release(). [0] \n \nThe scenario is \n \n 1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb. \n \n 2. Thread A resumes building skb from kcm->seq_skb but is blocked \n by sk_stream_wait_memory() \n \n 3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb \n and puts the skb to the write queue \n \n 4. Thread A faces an error and finally frees skb that is already in the \n write queue \n \n 5. kcm_release() does double-free the skb in the write queue \n \nWhen a thread is building a MSG_MORE skb, another thread must not touch it. \n \nLet's add a per-sk mutex and serialise kcm_sendmsg(). \n \n[0]: \nBUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline] \nBUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline] \nBUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] \nBUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline] \nBUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 \nRead of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167 \n \nCPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0 \nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 \nCall trace: \n dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 \n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 \n __dump_stack lib/dump_stack.c:88 [inline] \n dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 \n print_address_description mm/kasan/report.c:377 [inline] \n print_report+0x178/0x518 mm/kasan/report.c:488 \n kasan_report+0xd8/0x138 mm/kasan/report.c:601 \n __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 \n __skb_unlink include/linux/skbuff.h:2366 [inline] \n __skb_dequeue include/linux/skbuff.h:2385 [inline] \n __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] \n __skb_queue_purge include/linux/skbuff.h:3181 [inline] \n kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 \n __sock_release net/socket.c:659 [inline] \n sock_close+0xa4/0x1e8 net/socket.c:1421 \n __fput+0x30c/0x738 fs/file_table.c:376 \n ____fput+0x20/0x30 fs/file_table.c:404 \n task_work_run+0x230/0x2e0 kernel/task_work.c:180 \n exit_task_work include/linux/task_work.h:38 [inline] \n do_exit+0x618/0x1f64 kernel/exit.c:871 \n do_group_exit+0x194/0x22c kernel/exit.c:1020 \n get_signal+0x1500/0x15ec kernel/signal.c:2893 \n do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249 \n do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 \n exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] \n exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] \n el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 \n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 \n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 \n \nAllocated by task 6166: \n kasan_save_stack mm/kasan/common.c:47 [inline] \n kasan_save_track+0x40/0x78 mm/kasan/common.c:68 \n kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626 \n unpoison_slab_object mm/kasan/common.c:314 [inline] \n __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340 \n kasan_slab_alloc include/linux/kasan.h:201 [inline] \n slab_post_alloc_hook mm/slub.c:3813 [inline] \n slab_alloc_node mm/slub.c:3860 [inline] \n kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903 \n __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641 \n alloc_skb include/linux/skbuff.h:1296 [inline] \n kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783 \n sock_sendmsg_nosec net/socket.c:730 [inline] \n __sock_se[...]", "creation_timestamp": "2024-08-31T16:43:34.000000Z"}]}