CVE-2024-44946: Resolving a Linux Kernel Vulnerability with kcm_sendmsg() Serialization

A vulnerability has recently been resolved in the Linux kernel. This vulnerability is specifically related to the kcm: Serialise kcm_sendmsg() for the same socket. The vulnerability was initially reported by syzkaller (a kernel fuzzer) as UAF (Use After Free) in kcm_release()[]. In this post, we will provide an overview of the vulnerability, along with code snippets, links to the original references, and a description of the fix that was implemented.

Overview of the Vulnerability

The main issue occurs when multiple threads are building an MSG_MORE skb (socket kernel buffer) with the same kcm->seq_skb. The scenario involves several steps:

Thread A resumes building skb from kcm->seq_skb but is blocked by sk_stream_wait_memory().

3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb, and puts the skb in the write queue.

kcm_release() does double-free the skb in the write queue.

When a thread is building an MSG_MORE skb, another thread must not touch it. The solution is to add a per-sk (socket) mutex and serialize kcm_sendmsg().

Fixing the Vulnerability

The solution to this vulnerability involved the addition of a per-sk mutex and serialization of kcm_sendmsg(). This prevents multiple threads from touching the same MSG_MORE skb at the same time, avoiding the use after free scenario described previously. Here's an example of the fix in action:

'''
Let's add a per-sk mutex and serialise kcm_sendmsg().
'''

By implementing this fix, the vulnerability in the Linux kernel has been effectively resolved.

The original reports from syzkaller can be found at the following links

- [] BUG: KASAN: slab-use-after-free in __skb_unlink : Link to bug report

Conclusion

CVE-2024-44946 is a critical vulnerability in the Linux kernel that was effectively resolved by implementing a per-sk mutex and serializing kcm_sendmsg(). This fix ensures that multiple threads do not interfere with each other when building an MSG_MORE skb, thus preventing use after free errors and double-free scenarios in kcm_release(). By addressing this vulnerability, the overall security and stability of the Linux kernel have been improved.

Timeline

Published on: 08/31/2024 14:15:04 UTC
Last modified on: 09/04/2024 12:15:05 UTC