CVE-2024-47711 (GCVE-0-2024-47711)

Vulnerability from cvelistv5 – Published: 2024-10-21 11:53 – Updated: 2026-05-23 15:53
VLAI
Title
af_unix: Don't return OOB skb in manage_oob().
Summary
In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't return OOB skb in manage_oob(). syzbot reported use-after-free in unix_stream_recv_urg(). [0] The scenario is 1. send(MSG_OOB) 2. recv(MSG_OOB) -> The consumed OOB remains in recv queue 3. send(MSG_OOB) 4. recv() -> manage_oob() returns the next skb of the consumed OOB -> This is also OOB, but unix_sk(sk)->oob_skb is not cleared 5. recv(MSG_OOB) -> unix_sk(sk)->oob_skb is used but already freed The recent commit 8594d9b85c07 ("af_unix: Don't call skb_get() for OOB skb.") uncovered the issue. If the OOB skb is consumed and the next skb is peeked in manage_oob(), we still need to check if the skb is OOB. Let's do so by falling back to the following checks in manage_oob() and add the test case in selftest. Note that we need to add a similar check for SIOCATMARK. [0]: BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959 Read of size 4 at addr ffff8880326abcc4 by task syz-executor178/5235 CPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 Not tainted 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959 unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640 unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778 unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x22f/0x280 net/socket.c:1068 ____sys_recvmsg+0x1db/0x470 net/socket.c:2816 ___sys_recvmsg net/socket.c:2858 [inline] __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2888 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5360d6b4e9 Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9 RDX: 0000000000002001 RSI: 0000000020000640 RDI: 0000000000000003 RBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001 </TASK> Allocated by task 5235: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667 alloc_skb include/linux/skbuff.h:1320 [inline] alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528 sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815 sock_alloc_send_skb include/net/sock.h:1778 [inline] queue_oob+0x108/0x680 net/unix/af_unix.c:2198 unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5235: kasan_save_stack mm/kasan/common.c:47 ---truncated---
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 93c99f21db360957d49853e5666b5c147f593bda , < 4a7f9a2591a923bdde4bd7eac33490b6ae3b257c (git)
Affected: 93c99f21db360957d49853e5666b5c147f593bda , < 5aa57d9f2d5311f19434d95b2a81610aa263e23b (git)
Affected: 71f8d9a4f6e094bae951765d1d18b44827013001 (git)
Affected: 6.9.8 , < 6.10 (semver)
Create a notification for this product.
Linux Linux Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.11.2 , ≤ 6.11.* (semver)
Unaffected: 6.12 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47711",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-21T13:03:14.686039Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-21T13:04:18.955Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/unix/af_unix.c",
            "tools/testing/selftests/net/af_unix/msg_oob.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4a7f9a2591a923bdde4bd7eac33490b6ae3b257c",
              "status": "affected",
              "version": "93c99f21db360957d49853e5666b5c147f593bda",
              "versionType": "git"
            },
            {
              "lessThan": "5aa57d9f2d5311f19434d95b2a81610aa263e23b",
              "status": "affected",
              "version": "93c99f21db360957d49853e5666b5c147f593bda",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "71f8d9a4f6e094bae951765d1d18b44827013001",
              "versionType": "git"
            },
            {
              "lessThan": "6.10",
              "status": "affected",
              "version": "6.9.8",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/unix/af_unix.c",
            "tools/testing/selftests/net/af_unix/msg_oob.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.2",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.9.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Don\u0027t return OOB skb in manage_oob().\n\nsyzbot reported use-after-free in unix_stream_recv_urg(). [0]\n\nThe scenario is\n\n  1. send(MSG_OOB)\n  2. recv(MSG_OOB)\n     -\u003e The consumed OOB remains in recv queue\n  3. send(MSG_OOB)\n  4. recv()\n     -\u003e manage_oob() returns the next skb of the consumed OOB\n     -\u003e This is also OOB, but unix_sk(sk)-\u003eoob_skb is not cleared\n  5. recv(MSG_OOB)\n     -\u003e unix_sk(sk)-\u003eoob_skb is used but already freed\n\nThe recent commit 8594d9b85c07 (\"af_unix: Don\u0027t call skb_get() for OOB\nskb.\") uncovered the issue.\n\nIf the OOB skb is consumed and the next skb is peeked in manage_oob(),\nwe still need to check if the skb is OOB.\n\nLet\u0027s do so by falling back to the following checks in manage_oob()\nand add the test case in selftest.\n\nNote that we need to add a similar check for SIOCATMARK.\n\n[0]:\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959\nRead of size 4 at addr ffff8880326abcc4 by task syz-executor178/5235\n\nCPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 Not tainted 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959\n unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640\n unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778\n unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x22f/0x280 net/socket.c:1068\n ____sys_recvmsg+0x1db/0x470 net/socket.c:2816\n ___sys_recvmsg net/socket.c:2858 [inline]\n __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2888\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5360d6b4e9\nCode: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9\nRDX: 0000000000002001 RSI: 0000000020000640 RDI: 0000000000000003\nRBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001\n \u003c/TASK\u003e\n\nAllocated by task 5235:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:312 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slub.c:3988 [inline]\n slab_alloc_node mm/slub.c:4037 [inline]\n kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080\n __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667\n alloc_skb include/linux/skbuff.h:1320 [inline]\n alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528\n sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815\n sock_alloc_send_skb include/net/sock.h:1778 [inline]\n queue_oob+0x108/0x680 net/unix/af_unix.c:2198\n unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n ___sys_sendmsg net/socket.c:2651 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 5235:\n kasan_save_stack mm/kasan/common.c:47\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:53:47.781Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4a7f9a2591a923bdde4bd7eac33490b6ae3b257c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5aa57d9f2d5311f19434d95b2a81610aa263e23b"
        }
      ],
      "title": "af_unix: Don\u0027t return OOB skb in manage_oob().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-47711",
    "datePublished": "2024-10-21T11:53:44.102Z",
    "dateReserved": "2024-09-30T16:00:12.948Z",
    "dateUpdated": "2026-05-23T15:53:47.781Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-47711",
      "date": "2026-06-08",
      "epss": "0.00025",
      "percentile": "0.07585"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-47711\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-10-21T12:15:07.563\",\"lastModified\":\"2024-10-24T14:03:24.700\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Don\u0027t return OOB skb in manage_oob().\\n\\nsyzbot reported use-after-free in unix_stream_recv_urg(). [0]\\n\\nThe scenario is\\n\\n  1. send(MSG_OOB)\\n  2. recv(MSG_OOB)\\n     -\u003e The consumed OOB remains in recv queue\\n  3. send(MSG_OOB)\\n  4. recv()\\n     -\u003e manage_oob() returns the next skb of the consumed OOB\\n     -\u003e This is also OOB, but unix_sk(sk)-\u003eoob_skb is not cleared\\n  5. recv(MSG_OOB)\\n     -\u003e unix_sk(sk)-\u003eoob_skb is used but already freed\\n\\nThe recent commit 8594d9b85c07 (\\\"af_unix: Don\u0027t call skb_get() for OOB\\nskb.\\\") uncovered the issue.\\n\\nIf the OOB skb is consumed and the next skb is peeked in manage_oob(),\\nwe still need to check if the skb is OOB.\\n\\nLet\u0027s do so by falling back to the following checks in manage_oob()\\nand add the test case in selftest.\\n\\nNote that we need to add a similar check for SIOCATMARK.\\n\\n[0]:\\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959\\nRead of size 4 at addr ffff8880326abcc4 by task syz-executor178/5235\\n\\nCPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 Not tainted 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\\nCall Trace:\\n \u003cTASK\u003e\\n __dump_stack lib/dump_stack.c:93 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x169/0x550 mm/kasan/report.c:488\\n kasan_report+0x143/0x180 mm/kasan/report.c:601\\n unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959\\n unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640\\n unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778\\n unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996\\n sock_recvmsg_nosec net/socket.c:1046 [inline]\\n sock_recvmsg+0x22f/0x280 net/socket.c:1068\\n ____sys_recvmsg+0x1db/0x470 net/socket.c:2816\\n ___sys_recvmsg net/socket.c:2858 [inline]\\n __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2888\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7f5360d6b4e9\\nCode: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\\nRAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9\\nRDX: 0000000000002001 RSI: 0000000020000640 RDI: 0000000000000003\\nRBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\\nR13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001\\n \u003c/TASK\u003e\\n\\nAllocated by task 5235:\\n kasan_save_stack mm/kasan/common.c:47 [inline]\\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n unpoison_slab_object mm/kasan/common.c:312 [inline]\\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338\\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\\n slab_post_alloc_hook mm/slub.c:3988 [inline]\\n slab_alloc_node mm/slub.c:4037 [inline]\\n kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080\\n __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667\\n alloc_skb include/linux/skbuff.h:1320 [inline]\\n alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528\\n sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815\\n sock_alloc_send_skb include/net/sock.h:1778 [inline]\\n queue_oob+0x108/0x680 net/unix/af_unix.c:2198\\n unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x221/0x270 net/socket.c:745\\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\\n ___sys_sendmsg net/socket.c:2651 [inline]\\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nFreed by task 5235:\\n kasan_save_stack mm/kasan/common.c:47\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: af_unix: No devuelva skb OOB en manage_oob(). syzbot inform\u00f3 de un error de use after free en unix_stream_recv_urg(). [0] El escenario es 1. send(MSG_OOB) 2. recv(MSG_OOB) -\u0026gt; El OOB consumido permanece en la cola de recepci\u00f3n 3. send(MSG_OOB) 4. recv() -\u0026gt; manage_oob() devuelve el siguiente skb del OOB consumido -\u0026gt; Este tambi\u00e9n es OOB, pero unix_sk(sk)-\u0026gt;oob_skb no se borra 5. recv(MSG_OOB) -\u0026gt; unix_sk(sk)-\u0026gt;oob_skb se usa pero ya se liber\u00f3 La reciente confirmaci\u00f3n 8594d9b85c07 (\\\"af_unix: No llame a skb_get() para skb OOB\\\") descubri\u00f3 el problema. Si se consume el skb OOB y se examina el siguiente skb en manage_oob(), a\u00fan necesitamos verificar si el skb es OOB. Hag\u00e1moslo recurriendo a las siguientes verificaciones en manage_oob() y agregando el caso de prueba en selftest. Tenga en cuenta que necesitamos agregar una verificaci\u00f3n similar para SIOCATMARK. [0]: ERROR: KASAN: slab-use-after-free en unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959 Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff8880326abcc4 por la tarea syz-executor178/5235 CPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 No contaminado 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Seguimiento de llamadas:  __dump_stack lib/dump_stack.c:93 [en l\u00ednea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 descripci\u00f3n de la direcci\u00f3n de impresi\u00f3n mm/kasan/report.c:377 [en l\u00ednea] informe de impresi\u00f3n+0x169/0x550 mm/kasan/report.c:488 informe de kasan+0x143/0x180 mm/kasan/report.c:601 unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959 unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640 unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778 unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996 sock_recvmsg_nosec red/socket.c:1046 [en l\u00ednea] sock_recvmsg+0x22f/0x280 red/socket.c:1068 ____sys_recvmsg+0x1db/0x470 red/socket.c:2816 ___sys_recvmsg red/socket.c:2858 [en l\u00ednea] __sys_recvmsg+0x2f0/0x3e0 red/socket.c:2888 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f DESCARGA: 0033:0x7f5360d6b4e9 C\u00f3digo: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9 RDX: 0000000000002001 RSI: 0000000020000640 RDI: 000000000 0000003 RBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000000001 R13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001  Asignado por la tarea 5235: kasan_save_stack mm/kasan/common.c:47 [en l\u00ednea] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [en l\u00ednea] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [en l\u00ednea] slab_post_alloc_hook mm/slub.c:3988 [en l\u00ednea] slab_alloc_node mm/slub.c:4037 [en l\u00ednea] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667 alloc_skb include/linux/skbuff.h:1320 [en l\u00ednea] alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528 sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815 sock_alloc_send_skb include/net/sock.h:1778 [en l\u00ednea] queue_oob+0x108/0x680 net/unix/af_unix.c:2198 unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351 sock_sendmsg_nosec net/socket.c:730 [en l\u00ednea] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [en l\u00ednea] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Liberado por la tarea ---truncado---\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.9.8\",\"versionEndExcluding\":\"6.10\",\"matchCriteriaId\":\"7CD11465-AFC4-428F-A933-C8F6486DDC2F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.10\",\"versionEndExcluding\":\"6.11.2\",\"matchCriteriaId\":\"634B10CE-0F2B-4C13-B5F9-5F2559F2369D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4a7f9a2591a923bdde4bd7eac33490b6ae3b257c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5aa57d9f2d5311f19434d95b2a81610aa263e23b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47711\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-21T13:03:14.686039Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-21T13:03:17.827Z\"}}], \"cna\": {\"title\": \"af_unix: Don\u0027t return OOB skb in manage_oob().\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"93c99f21db360957d49853e5666b5c147f593bda\", \"lessThan\": \"4a7f9a2591a923bdde4bd7eac33490b6ae3b257c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"93c99f21db360957d49853e5666b5c147f593bda\", \"lessThan\": \"5aa57d9f2d5311f19434d95b2a81610aa263e23b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"71f8d9a4f6e094bae951765d1d18b44827013001\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6.9.8\", \"lessThan\": \"6.10\", \"versionType\": \"semver\"}], \"programFiles\": [\"net/unix/af_unix.c\", \"tools/testing/selftests/net/af_unix/msg_oob.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.10\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.10\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.11.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.11.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/unix/af_unix.c\", \"tools/testing/selftests/net/af_unix/msg_oob.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/4a7f9a2591a923bdde4bd7eac33490b6ae3b257c\"}, {\"url\": \"https://git.kernel.org/stable/c/5aa57d9f2d5311f19434d95b2a81610aa263e23b\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Don\u0027t return OOB skb in manage_oob().\\n\\nsyzbot reported use-after-free in unix_stream_recv_urg(). [0]\\n\\nThe scenario is\\n\\n  1. send(MSG_OOB)\\n  2. recv(MSG_OOB)\\n     -\u003e The consumed OOB remains in recv queue\\n  3. send(MSG_OOB)\\n  4. recv()\\n     -\u003e manage_oob() returns the next skb of the consumed OOB\\n     -\u003e This is also OOB, but unix_sk(sk)-\u003eoob_skb is not cleared\\n  5. recv(MSG_OOB)\\n     -\u003e unix_sk(sk)-\u003eoob_skb is used but already freed\\n\\nThe recent commit 8594d9b85c07 (\\\"af_unix: Don\u0027t call skb_get() for OOB\\nskb.\\\") uncovered the issue.\\n\\nIf the OOB skb is consumed and the next skb is peeked in manage_oob(),\\nwe still need to check if the skb is OOB.\\n\\nLet\u0027s do so by falling back to the following checks in manage_oob()\\nand add the test case in selftest.\\n\\nNote that we need to add a similar check for SIOCATMARK.\\n\\n[0]:\\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959\\nRead of size 4 at addr ffff8880326abcc4 by task syz-executor178/5235\\n\\nCPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 Not tainted 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\\nCall Trace:\\n \u003cTASK\u003e\\n __dump_stack lib/dump_stack.c:93 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x169/0x550 mm/kasan/report.c:488\\n kasan_report+0x143/0x180 mm/kasan/report.c:601\\n unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959\\n unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640\\n unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778\\n unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996\\n sock_recvmsg_nosec net/socket.c:1046 [inline]\\n sock_recvmsg+0x22f/0x280 net/socket.c:1068\\n ____sys_recvmsg+0x1db/0x470 net/socket.c:2816\\n ___sys_recvmsg net/socket.c:2858 [inline]\\n __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2888\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7f5360d6b4e9\\nCode: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\\nRAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9\\nRDX: 0000000000002001 RSI: 0000000020000640 RDI: 0000000000000003\\nRBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\\nR13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001\\n \u003c/TASK\u003e\\n\\nAllocated by task 5235:\\n kasan_save_stack mm/kasan/common.c:47 [inline]\\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n unpoison_slab_object mm/kasan/common.c:312 [inline]\\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338\\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\\n slab_post_alloc_hook mm/slub.c:3988 [inline]\\n slab_alloc_node mm/slub.c:4037 [inline]\\n kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080\\n __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667\\n alloc_skb include/linux/skbuff.h:1320 [inline]\\n alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528\\n sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815\\n sock_alloc_send_skb include/net/sock.h:1778 [inline]\\n queue_oob+0x108/0x680 net/unix/af_unix.c:2198\\n unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x221/0x270 net/socket.c:745\\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\\n ___sys_sendmsg net/socket.c:2651 [inline]\\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nFreed by task 5235:\\n kasan_save_stack mm/kasan/common.c:47\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11.2\", \"versionStartIncluding\": \"6.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12\", \"versionStartIncluding\": \"6.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.9.8\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-23T15:53:47.781Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-47711\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-23T15:53:47.781Z\", \"dateReserved\": \"2024-09-30T16:00:12.948Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-10-21T11:53:44.102Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.