[SRU][N][PATCH 0/2] CVE-2024-56642 and CVE-2024-56661

[Massimiliano Pellizzer]

[Impact]

CVE-2024-56642

tipc: Fix use-after-free of kernel socket in cleanup_bearer().

syzkaller reported a use-after-free of UDP kernel socket
in cleanup_bearer() without repro.

When bearer_disable() calls tipc_udp_disable(), cleanup
of the UDP kernel socket is deferred by work calling
cleanup_bearer().

tipc_net_stop() waits for such works to finish by checking
tipc_net(net)->wq_count.  However, the work decrements the
count too early before releasing the kernel socket,
unblocking cleanup_net() and resulting in use-after-free.

Move the decrement after releasing the socket in
cleanup_bearer().

CVE-2024-56661

tipc: fix NULL deref in cleanup_bearer()

syzbot found that after blamed commit, ub->ubsock->sk
was NULL when attempting the atomic_dec():

atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);

Fix this by caching the tipc_net pointer.

[Fix]

Oracular: Fixed via upstream stable updates (LP: #2096827)
Noble: Clean cherry pick of the fix commit from mainline and clean
       cherry pick of a follow-up from mainline. The followup fixes
       CVE-2024-56661.
Jammy: Fixed via upstream stable updates (LP: #2095283)
Focal: Fixed via upstream stable updates (LP: #2095145)

[Test case]

Compile tested only.

[Where problems could occur]

The fix affects the TIPC UDP bearer implementation. An issue with this
fix may lead to instability in inter-process or inter-node communication
over UDP. A user might experience message delivery failures, connection
timeouts between TIPC nodes, or kernel panics when attempting to
initialize or terminate TIPC services.


Eric Dumazet (1):
  tipc: fix NULL deref in cleanup_bearer()

Kuniyuki Iwashima (1):
  tipc: Fix use-after-free of kernel socket in cleanup_bearer().

 net/tipc/udp_media.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

-- 
2.43.0