Bug 2315210 (CVE-2024-46858)

Summary:	CVE-2024-46858 kernel: mptcp: pm: Fix uaf in __timer_delete_sync
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	allarkin, dfreiber, drow, jburrell, mmilgram, vkumar
Target Milestone:	---	Keywords:	Security
Target Release:	---	Flags:	allarkin: needinfo+
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw was found in the Linux kernel’s Multipath TCP (MPTCP) subsystem. This flaw allows a local user to crash or potentially escalate their privileges on the system.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2315246
Bug Blocks:

Description OSIDB Bzimport 2024-09-27 13:23:10 UTC

In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: Fix uaf in __timer_delete_sync

There are two paths to access mptcp_pm_del_add_timer, result in a race
condition:

     CPU1				CPU2
     ====                               ====
     net_rx_action
     napi_poll                          netlink_sendmsg
     __napi_poll                        netlink_unicast
     process_backlog                    netlink_unicast_kernel
     __netif_receive_skb                genl_rcv
     __netif_receive_skb_one_core       netlink_rcv_skb
     NF_HOOK                            genl_rcv_msg
     ip_local_deliver_finish            genl_family_rcv_msg
     ip_protocol_deliver_rcu            genl_family_rcv_msg_doit
     tcp_v4_rcv                         mptcp_pm_nl_flush_addrs_doit
     tcp_v4_do_rcv                      mptcp_nl_remove_addrs_list
     tcp_rcv_established                mptcp_pm_remove_addrs_and_subflows
     tcp_data_queue                     remove_anno_list_by_saddr
     mptcp_incoming_options             mptcp_pm_del_add_timer
     mptcp_pm_del_add_timer             kfree(entry)

In remove_anno_list_by_saddr(running on CPU2), after leaving the critical
zone protected by "pm.lock", the entry will be released, which leads to the
occurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).

Keeping a reference to add_timer inside the lock, and calling
sk_stop_timer_sync() with this reference, instead of "entry->add_timer".

Move list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock,
do not directly access any members of the entry outside the pm lock, which
can avoid similar "entry->x" uaf.

Comment 1 Robb Gatica 2024-09-27 14:36:14 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024092744-CVE-2024-46858-dab6@gregkh/T

Comment 6 errata-xmlrpc 2024-11-13 00:11:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:9498 https://access.redhat.com/errata/RHSA-2024:9498

Comment 7 errata-xmlrpc 2024-11-13 00:24:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:9500 https://access.redhat.com/errata/RHSA-2024:9500

Comment 8 errata-xmlrpc 2024-11-13 00:25:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:9497 https://access.redhat.com/errata/RHSA-2024:9497

Comment 9 errata-xmlrpc 2024-11-13 15:48:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2024:9546 https://access.redhat.com/errata/RHSA-2024:9546

Comment 10 errata-xmlrpc 2024-11-14 00:18:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9605 https://access.redhat.com/errata/RHSA-2024:9605

Comment 11 errata-xmlrpc 2024-11-19 00:43:36 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:9943 https://access.redhat.com/errata/RHSA-2024:9943

Comment 12 errata-xmlrpc 2024-11-19 00:52:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:9942 https://access.redhat.com/errata/RHSA-2024:9942

Comment 13 errata-xmlrpc 2024-11-26 00:34:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:10265 https://access.redhat.com/errata/RHSA-2024:10265

Comment 14 errata-xmlrpc 2024-11-26 00:48:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:10262 https://access.redhat.com/errata/RHSA-2024:10262

Comment 15 errata-xmlrpc 2024-11-26 02:09:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10281 https://access.redhat.com/errata/RHSA-2024:10281