Ubuntu: (Multiple Advisories) (CVE-2024-44991): Linux kernel vulnerabilities

Ubuntu: (Multiple Advisories) (CVE-2024-44991): Linux kernel vulnerabilities

Severity

5

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

09/04/2024

Created

12/14/2024

Added

12/13/2024

Modified

01/30/2025

Description

In the Linux kernel, the following vulnerability has been resolved: tcp: prevent concurrent execution of tcp_sk_exit_batch Its possible that two threads call tcp_sk_exit_batch() concurrently, once from the cleanup_net workqueue, once from a task that failed to clone a new netns.In the latter case, error unwinding calls the exit handlers in reverse order for the 'failed' netns. tcp_sk_exit_batch() calls tcp_twsk_purge(). Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"), this function picks up twsk in any dying netns, not just the one passed in via exit_batch list. This means that the error unwind of setup_net() can "steal" and destroy timewait sockets belonging to the exiting netns. This allows the netns exit worker to proceed to call WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount)); without the expected 1 -> 0 transition, which then splats. At same time, error unwind path that is also running inet_twsk_purge() will splat as well: WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 ... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 ... because refcount_dec() of tw_refcount unexpectedly dropped to 0. This doesn't seem like an actual bug (no tw sockets got lost and I don't see a use-after-free) but as erroneous trigger of debug check. Add a mutex to force strict ordering: the task that calls tcp_twsk_purge() blocks other task from doing final _dec_and_test before mutex-owner has removed all tw sockets of dying netns.

Solution(s)

• ubuntu-upgrade-linux-image-6-8-0-1002-gkeop
• ubuntu-upgrade-linux-image-6-8-0-1015-gke
• ubuntu-upgrade-linux-image-6-8-0-1016-raspi
• ubuntu-upgrade-linux-image-6-8-0-1017-ibm
• ubuntu-upgrade-linux-image-6-8-0-1017-oracle
• ubuntu-upgrade-linux-image-6-8-0-1017-oracle-64k
• ubuntu-upgrade-linux-image-6-8-0-1018-oem
• ubuntu-upgrade-linux-image-6-8-0-1019-gcp
• ubuntu-upgrade-linux-image-6-8-0-1019-nvidia
• ubuntu-upgrade-linux-image-6-8-0-1019-nvidia-64k
• ubuntu-upgrade-linux-image-6-8-0-1019-nvidia-lowlatency
• ubuntu-upgrade-linux-image-6-8-0-1019-nvidia-lowlatency-64k
• ubuntu-upgrade-linux-image-6-8-0-1020-aws
• ubuntu-upgrade-linux-image-6-8-0-1020-azure
• ubuntu-upgrade-linux-image-6-8-0-1020-azure-fde
• ubuntu-upgrade-linux-image-6-8-0-50-generic
• ubuntu-upgrade-linux-image-6-8-0-50-generic-64k
• ubuntu-upgrade-linux-image-6-8-0-50-lowlatency
• ubuntu-upgrade-linux-image-6-8-0-50-lowlatency-64k
• ubuntu-upgrade-linux-image-aws
• ubuntu-upgrade-linux-image-azure
• ubuntu-upgrade-linux-image-azure-fde
• ubuntu-upgrade-linux-image-gcp
• ubuntu-upgrade-linux-image-generic
• ubuntu-upgrade-linux-image-generic-64k
• ubuntu-upgrade-linux-image-generic-64k-hwe-22-04
• ubuntu-upgrade-linux-image-generic-64k-hwe-24-04
• ubuntu-upgrade-linux-image-generic-hwe-22-04
• ubuntu-upgrade-linux-image-generic-hwe-24-04
• ubuntu-upgrade-linux-image-generic-lpae
• ubuntu-upgrade-linux-image-gke
• ubuntu-upgrade-linux-image-gkeop
• ubuntu-upgrade-linux-image-gkeop-6-8
• ubuntu-upgrade-linux-image-ibm
• ubuntu-upgrade-linux-image-ibm-classic
• ubuntu-upgrade-linux-image-ibm-lts-24-04
• ubuntu-upgrade-linux-image-kvm
• ubuntu-upgrade-linux-image-lowlatency
• ubuntu-upgrade-linux-image-lowlatency-64k
• ubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04
• ubuntu-upgrade-linux-image-lowlatency-64k-hwe-24-04
• ubuntu-upgrade-linux-image-lowlatency-hwe-22-04
• ubuntu-upgrade-linux-image-lowlatency-hwe-24-04
• ubuntu-upgrade-linux-image-nvidia
• ubuntu-upgrade-linux-image-nvidia-6-8
• ubuntu-upgrade-linux-image-nvidia-64k
• ubuntu-upgrade-linux-image-nvidia-64k-6-8
• ubuntu-upgrade-linux-image-nvidia-64k-hwe-22-04
• ubuntu-upgrade-linux-image-nvidia-hwe-22-04
• ubuntu-upgrade-linux-image-nvidia-lowlatency
• ubuntu-upgrade-linux-image-nvidia-lowlatency-64k
• ubuntu-upgrade-linux-image-oem-22-04
• ubuntu-upgrade-linux-image-oem-22-04a
• ubuntu-upgrade-linux-image-oem-22-04b
• ubuntu-upgrade-linux-image-oem-22-04c
• ubuntu-upgrade-linux-image-oem-22-04d
• ubuntu-upgrade-linux-image-oem-24-04
• ubuntu-upgrade-linux-image-oem-24-04a
• ubuntu-upgrade-linux-image-oracle
• ubuntu-upgrade-linux-image-oracle-64k
• ubuntu-upgrade-linux-image-raspi
• ubuntu-upgrade-linux-image-virtual
• ubuntu-upgrade-linux-image-virtual-hwe-22-04
• ubuntu-upgrade-linux-image-virtual-hwe-24-04

References

• https://attackerkb.com/topics/cve-2024-44991
• CVE - 2024-44991
• USN-7154-1
• USN-7154-2
• USN-7155-1
• USN-7156-1
• USN-7196-1