CVE-2024-36904 - Linux Kernel Use-After-Free Vulnerability in tcp_twsk_unique()

The Linux Kernel has recently addressed a use-after-free vulnerability in the tcp_twsk_unique() function. This vulnerability was reported by Anderson Nascimento who provided an in-depth analysis of the issue.

The Problem

The vulnerability originates from the commit ec94c2696fb ("tcp/dccp: avoid one atomic operation for timewait hashdance"). Since this commit, inet_twsk_hashdance() sets the TIME-WAIT socket's sk_refcnt after putting it into ehash and releasing the bucket lock. This creates a small race window where other threads could try to reuse the port during connect() and call sock_hold() in tcp_twsk_unique() for the TIME-WAIT socket with a zero refcnt.

If this situation occurs, the refcnt that is taken by tcp_twsk_unique() is overwritten and sock_put() will cause an underflow, ultimately triggering a real use-after-free issue somewhere else.

The Solution

To avoid the use-after-free problem, we need to use refcount_inc_not_zero() in tcp_twsk_unique() and give up on reusing the port if it returns false.

The following is a code snippet from the Linux Kernel patch that implements this fix

static bool tcp_twsk_unique(struct sock *sk, struct sock *ssk, __u16 port,
                    bool *first, bool *second)
{
        struct inet_timewait_sock *tw = inet_twsk(ssk);
        bool reuse_port;
        bool inc_refcnt;

        if (!tw)
                return false;

        *first = false;
        *second = false;

        inc_refcnt = refcount_inc_not_zero(&ssk->sk_refcnt);

        if (!refcount_read(&tw->tw_refcnt))
                reuse_port = true;
        else
                reuse_port = tcp_bind_conflict(sk, inet_twsk(sk)->tw_tb);

        if (!reuse_port && inc_refcnt)
                sock_put(ssk);

        return reuse_port;
}

On their analysis report, Anderson Nascimento documented the vulnerability, which presents the following warning message:

refcount_t: addition on ; use-after-free.
WARNING: CPU:  PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+xe5/x110
CPU:  PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1
[...]
</TASK>

In conclusion, this use-after-free vulnerability in the Linux Kernel has been resolved by using refcount_inc_not_zero() in the tcp_twsk_unique() function. Adopting this approach prevents the underflow issue from occurring and mitigates the risk of a real use-after-free situation elsewhere in the Linux Kernel.

Timeline

Published on: 05/30/2024 16:15:13 UTC
Last modified on: 12/19/2024 09:01:45 UTC