Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:af_unix: Drop oob_skb ref before purging queue in GC.syzbot reported another task hung in __unix_gc(). [0]The current while loop assumes that all of the left candidateshave oob_skb and calling kfree_skb(oob_skb) releases the remainingcandidates.However, I missed a case that oob_skb has self-referencing fd andanother fd and the latter sk is placed before the former in thecandidate list. Then, the while loop never proceeds, resultingthe task hung.__unix_gc() has the same loop just before purging the collected skb,so we can call kfree_skb(oob_skb) there and let __skb_queue_purge()release all inflight sockets.[0]:Sending NMI from CPU 0 to CPUs 1:NMI backtrace for cpu 1CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024Workqueue: events_unbound __unix_gcRIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
No PoCs from references.
- https://github.com/fkie-cad/nvd-json-data-feeds