1. We backported commit 5aa57d9f2d53 ("af_unix: Don't return OOB skb in
manage_oob().") into Ubuntu 6.8 to fix CVE-2024-47711.
2. In the same SRU ("upstream stable patchset 2025-02-03", LP #2097301) the
`Stable-dep-of: 5aa57d9f2d53` query pulled the parent fix from linux-6.11.y, and
we landed it in Noble as Canonical commit ae8a1cdeada7, which is our rebased
copy of stable f0f170d7b7ed ("af_unix: Don't call skb_get() for OOB skb.").
3. That cherry-pick is exactly upstream commit 8594d9b85c07 under a different
hash, so Noble carries the upstream change via ae8a1cdeada7.
4. Our miss was not auditing whether 8594d9b85c07/ae8a1cdeada7 depended on
anything else before merging it.
** Description changed:
[Impact]
- Ubuntu Noble's 6.8 kernel contains a use-after-free vulnerability in AF_UNIX
socket garbage collection when handling out-of-band (OOB) messages. The issue
occurs due to a mismatch between the legacy garbage collector implementation
and upstream commit ae8a1cdeada7 ("af_unix: Don't call skb_get() for OOB skb.")
which was backported as part of stable updates.
+ Ubuntu Noble's 6.8 kernel contains a use-after-free vulnerability in AF_UNIX
socket garbage collection when handling out-of-band (OOB) messages. The issue
occurs due to a mismatch between the legacy garbage collector implementation
and upstream commit 8594d9b85c07 ("af_unix: Don't call skb_get() for OOB skb.")
which was backported as part of stable updates.
The vulnerability manifests when orphaned AF_UNIX sockets with OOB data
are garbage collected. The legacy GC calls kfree_skb() expecting a
refcount of 2 (one from queue, one from oob_skb pointer), but after
- ae8a1cdeada7, OOB SKBs only have a refcount of 1. This causes premature
+ 8594d9b85c07, OOB SKBs only have a refcount of 1. This causes premature
freeing and subsequent use-after-free.
[Test Case]
Reproducer attached creates AF_UNIX socket pairs, sends OOB data, orphans
sockets, and triggers garbage collection. On unpatched kernels, this causes
immediate UAF/crash detectable with KASAN.
[Fix]
The fix modifies net/unix/garbage.c to use WRITE_ONCE(u->oob_skb, NULL)
instead of kfree_skb(u->oob_skb) when collecting OOB SKBs. This aligns with the
new refcounting model where the SKB is freed when purged from the receive queue.
This approach mirrors upstream's solution in 6.6 stable (commit
ed14f8ae9bcf) but adapted for Noble's legacy GC implementation. Noble
cannot directly use the upstream fix as it requires the complete new GC
infrastructure from commit 4090fa373f0e.
[Regression Potential]
Low. The change is minimal and only affects the garbage collection path for
orphaned AF_UNIX sockets with OOB data. Extensive testing (28+ hours stress
test with KASAN/kmemleak) shows no memory leaks or stability issues. The fix
maintains compatibility with both the legacy GC and the new refcounting model.
[Additional Information]
- - Affects Ubuntu Noble 6.8 kernels with ae8a1cdeada7 backported
+ - Affects Ubuntu Noble 6.8 kernels with 8594d9b85c07 (internal hash:
ae8a1cdeada7) backported
- Does not affect kernels with the new GC (4090fa373f0e and later)
- Test results: 28-hour stress test, 103M+ sockets created, no UAF, no leaks
- Memory growth: ~1.8MB/hour under extreme load, with active reclamation
observed
** CVE added: https://cve.org/CVERecord?id=CVE-2024-47711
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2121515
Title:
Linux refcount imbalance in af_unix subsystem
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2121515/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
