CVE-2024-50154: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

0.0 CVSS

Description

In the Linux kernel, the following vulnerability has been resolved:

tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().

"""
We are seeing a use-after-free from a bpf prog attached to
trace_tcp_retransmit_synack. The program passes the req->sk to the
bpf_sk_storage_get_tracing kernel helper which does check for null
before using it.
"""

The commit 83fccfc3940c ("inet: fix potential deadlock in
reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not
to call del_timer_sync() from reqsk_timer_handler(), but it introduced a
small race window.

Before the timer is called, expire_timers() calls detach_timer(timer, true)
to clear timer->entry.pprev and marks it as not pending.

If reqsk_queue_unlink() checks timer_pending() just after expire_timers()
calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will
continue running and send multiple SYN+ACKs until it expires.

The reported UAF could happen if req->sk is close()d earlier than the timer
expiration, which is 63s by default.

The scenario would be

1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),
but del_timer_sync() is missed

2. reqsk timer is executed and scheduled again

3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but
reqsk timer still has another one, and inet_csk_accept() does not
clear req->sk for non-TFO sockets

4. sk is close()...

Classification

CVE ID: CVE-2024-50154

CVSS Base Severity: LOW

CVSS Base Score: 0.0

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 5.06% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://git.kernel.org/stable/c/8459d61fbf24967839a70235165673148c7c7f17
https://git.kernel.org/stable/c/5071beb59ee416e8ab456ac8647a4dabcda823b1
https://git.kernel.org/stable/c/997ae8da14f1639ce6fb66a063dab54031cd61b3
https://git.kernel.org/stable/c/51e34db64f4e43c7b055ccf881b7f3e0c31bb26d
https://git.kernel.org/stable/c/e8c526f2bdf1845bedaf6a478816a3d06fa78b8f

Timeline