In the Linux kernel, the following vulnerability has been resolved:
af_unix: fix lockdep positive in sk_diag_dump_icons() syzbot reported a
lockdep splat [1]. Blamed commit hinted about the possible lockdep
violation, and code used unix_state_lock_nested() in an attempt to silence
lockdep. It is not sufficient, because unix_state_lock_nested() is already
used from unix_state_double_lock(). We need to use a separate subclass.
This patch adds a distinct enumeration to make things more explicit. Also
use swap() in unix_state_double_lock() as a clean up. v2: add a missing
inline keyword to unix_state_lock_nested() [1] WARNING: possible circular
locking dependency detected 6.8.0-rc1-syzkaller-00356-g8a696a29c690 #0 Not
tainted syz-executor.1/2542 is trying to acquire lock: ffff88808b5df9e8
(rlock-AF_UNIX){+.+.}-{2:2}, at: skb_queue_tail+0x36/0x120
net/core/skbuff.c:3863 but task is already holding lock: ffff88808b5dfe70
(&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200
net/unix/af_unix.c:2089 which lock already depends on the new lock. the
existing dependency chain (in reverse order) is: -> #1
(&u->lock/1){+.+.}-{2:2}: lock_acquire+0x1e3/0x530
kernel/locking/lockdep.c:5754 _raw_spin_lock_nested+0x31/0x40
kernel/locking/spinlock.c:378 sk_diag_dump_icons net/unix/diag.c:87
[inline] sk_diag_fill+0x6ea/0xfe0 net/unix/diag.c:157 sk_diag_dump
net/unix/diag.c:196 [inline] unix_diag_dump+0x3e9/0x630 net/unix/diag.c:220
netlink_dump+0x5c1/0xcd0 net/netlink/af_netlink.c:2264
__netlink_dump_start+0x5d7/0x780 net/netlink/af_netlink.c:2370
netlink_dump_start include/linux/netlink.h:338 [inline]
unix_diag_handler_dump+0x1c3/0x8f0 net/unix/diag.c:319
sock_diag_rcv_msg+0xe3/0x400 netlink_rcv_skb+0x1df/0x430
net/netlink/af_netlink.c:2543 sock_diag_rcv+0x2a/0x40
net/core/sock_diag.c:280 netlink_unicast_kernel
net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7e6/0x980
net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa37/0xd70
net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline] sock_write_iter+0x39a/0x520
net/socket.c:1160 call_write_iter include/linux/fs.h:2085 [inline]
new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa74/0xca0
fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x230
arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b -> #0
(rlock-AF_UNIX){+.+.}-{2:2}: check_prev_add kernel/locking/lockdep.c:3134
[inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869
__lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863
unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112 sock_sendmsg_nosec
net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x592/0x890 net/socket.c:2584 ___sys_sendmsg
net/socket.c:2638 [inline] __sys_sendmmsg+0x3b2/0x730 net/socket.c:2724
__do_sys_sendmmsg net/socket.c:2753 [inline] __se_sys_sendmmsg
net/socket.c:2750 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750
do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x230
arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b other
info that might help us debug this: Possible unsafe locking scenario: CPU0
—truncated—
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < any | UNKNOWN |
git.kernel.org/linus/4d322dce82a1d44f8c83f0f54f95dd1b8dcf46c9 (6.8-rc3)
git.kernel.org/stable/c/4d322dce82a1d44f8c83f0f54f95dd1b8dcf46c9
git.kernel.org/stable/c/5e7f3e0381c002cb2abde42f09ad511991a8ebaf
git.kernel.org/stable/c/875f31aaa67e306098befa5e798a049075910fa7
git.kernel.org/stable/c/a2104f43876408b164be5fd58f9b6a3a73b77746
git.kernel.org/stable/c/b169ffde733c5adf01788ae091c377f0eca44806
git.kernel.org/stable/c/c2d272a9a1e8f22ba584589219f6fe1886a3595f
git.kernel.org/stable/c/c8f6b3b864cb876e9ee21666a391c9ee290682ac
git.kernel.org/stable/c/f199018dc762dfa501f6d96a424468a0f3c10d9e
launchpad.net/bugs/cve/CVE-2024-26624
nvd.nist.gov/vuln/detail/CVE-2024-26624
security-tracker.debian.org/tracker/CVE-2024-26624
ubuntu.com/security/notices/USN-6688-1
www.cve.org/CVERecord?id=CVE-2024-26624