This bug is awaiting verification that the linux- azure-6.8/6.8.0-1040.46~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux- azure-6.8' to 'verification-done-jammy-linux-azure-6.8'. If the problem still exists, change the tag 'verification-needed-jammy-linux-azure-6.8' to 'verification-failed-jammy-linux-azure-6.8'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-azure-6.8-v2 verification-needed-jammy-linux-azure-6.8 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2121515 Title: Linux refcount imbalance in af_unix subsystem Status in linux package in Ubuntu: New Status in linux source package in Noble: Fix Released Bug description: [Impact] Ubuntu Noble's 6.8 kernel contains a use-after-free vulnerability in AF_UNIX socket garbage collection when handling out-of-band (OOB) messages. The issue occurs due to a mismatch between the legacy garbage collector implementation and upstream commit ae8a1cdeada7 ("af_unix: Don't call skb_get() for OOB skb.") which was backported as part of stable updates. The vulnerability manifests when orphaned AF_UNIX sockets with OOB data are garbage collected. The legacy GC calls kfree_skb() expecting a refcount of 2 (one from queue, one from oob_skb pointer), but after ae8a1cdeada7, OOB SKBs only have a refcount of 1. This causes premature freeing and subsequent use-after-free. [Test Case] Reproducer attached creates AF_UNIX socket pairs, sends OOB data, orphans sockets, and triggers garbage collection. On unpatched kernels, this causes immediate UAF/crash detectable with KASAN. [Fix] The fix modifies net/unix/garbage.c to use WRITE_ONCE(u->oob_skb, NULL) instead of kfree_skb(u->oob_skb) when collecting OOB SKBs. This aligns with the new refcounting model where the SKB is freed when purged from the receive queue. This approach mirrors upstream's solution in 6.6 stable (commit ed14f8ae9bcf) but adapted for Noble's legacy GC implementation. Noble cannot directly use the upstream fix as it requires the complete new GC infrastructure from commit 4090fa373f0e. [Regression Potential] Low. The change is minimal and only affects the garbage collection path for orphaned AF_UNIX sockets with OOB data. Extensive testing (28+ hours stress test with KASAN/kmemleak) shows no memory leaks or stability issues. The fix maintains compatibility with both the legacy GC and the new refcounting model. [Additional Information] - Affects Ubuntu Noble 6.8 kernels with ae8a1cdeada7 backported - Does not affect kernels with the new GC (4090fa373f0e and later) - Test results: 28-hour stress test, 103M+ sockets created, no UAF, no leaks - Memory growth: ~1.8MB/hour under extreme load, with active reclamation observed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2121515/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
