APPLIED: [SRU][N][PATCH 0/2] CVE-2024-56642 and CVE-2024-56661

Koichiro Den koichiro.den at canonical.com
Fri Feb 28 03:17:05 UTC 2025 

On Fri, Feb 07, 2025 at 05:59:16PM GMT, Massimiliano Pellizzer wrote:
> [Impact]
> 
> CVE-2024-56642
> 
> tipc: Fix use-after-free of kernel socket in cleanup_bearer().
> 
> syzkaller reported a use-after-free of UDP kernel socket
> in cleanup_bearer() without repro.
> 
> When bearer_disable() calls tipc_udp_disable(), cleanup
> of the UDP kernel socket is deferred by work calling
> cleanup_bearer().
> 
> tipc_net_stop() waits for such works to finish by checking
> tipc_net(net)->wq_count.  However, the work decrements the
> count too early before releasing the kernel socket,
> unblocking cleanup_net() and resulting in use-after-free.
> 
> Move the decrement after releasing the socket in
> cleanup_bearer().
> 
> CVE-2024-56661
> 
> tipc: fix NULL deref in cleanup_bearer()
> 
> syzbot found that after blamed commit, ub->ubsock->sk
> was NULL when attempting the atomic_dec():
> 
> atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);
> 
> Fix this by caching the tipc_net pointer.
> 
> [Fix]
> 
> Oracular: Fixed via upstream stable updates (LP: #2096827)
> Noble: Clean cherry pick of the fix commit from mainline and clean
>        cherry pick of a follow-up from mainline. The followup fixes
>        CVE-2024-56661.
> Jammy: Fixed via upstream stable updates (LP: #2095283)
> Focal: Fixed via upstream stable updates (LP: #2095145)
> 
> [Test case]
> 
> Compile tested only.
> 
> [Where problems could occur]
> 
> The fix affects the TIPC UDP bearer implementation. An issue with this
> fix may lead to instability in inter-process or inter-node communication
> over UDP. A user might experience message delivery failures, connection
> timeouts between TIPC nodes, or kernel panics when attempting to
> initialize or terminate TIPC services.
> 
> 
> Eric Dumazet (1):
>   tipc: fix NULL deref in cleanup_bearer()
> 
> Kuniyuki Iwashima (1):
>   tipc: Fix use-after-free of kernel socket in cleanup_bearer().
> 
>  net/tipc/udp_media.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 

Applied to noble:linux master-next branch. Thanks!

More information about the kernel-team mailing list