Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.[EOL][EOL]syzkaller reported [0] memory leaks of an UDP socket and ZEROCOPY[EOL]skbs.  We can reproduce the problem with these sequences:[EOL][EOL]  sk = socket(AF_INET, SOCK_DGRAM, 0)[EOL]  sk.setsockopt(SOL_SOCKET, SO_TIMESTAMPING, SOF_TIMESTAMPING_TX_SOFTWARE)[EOL]  sk.setsockopt(SOL_SOCKET, SO_ZEROCOPY, 1)[EOL]  sk.sendto(b'', MSG_ZEROCOPY, ('127.0.0.1', 53))[EOL]  sk.close()[EOL][EOL]sendmsg() calls msg_zerocopy_alloc(), which allocates a skb, sets[EOL]skb->cb->ubuf.refcnt to 1, and calls sock_hold().  Here, struct[EOL]ubuf_info_msgzc indirectly holds a refcnt of the socket.  When the[EOL]skb is sent, __skb_tstamp_tx() clones it and puts the clone into[EOL]the socket's error queue with the TX timestamp.[EOL][EOL]When the original skb is received locally, skb_copy_ubufs() calls[EOL]skb_unclone(), and pskb_expand_head() increments skb->cb->ubuf.refcnt.[EOL]This additional count is decremented while freeing the skb, but struct[EOL]ubuf_info_msgzc still has a refcnt, so __msg_zerocopy_callback() is[EOL]not called.[EOL][EOL]The last refcnt is not released unless we retrieve the TX timestamped[EOL]skb by recvmsg().  Since we clear the error queue in inet_sock_destruct()[EOL]after the socket's refcnt reaches 0, there is a circular dependency.[EOL]If we close() the socket holding such skbs, we never call sock_put()[EOL]and leak the count, sk, and skb.[EOL][EOL]TCP has the same problem, and commit e0c8bccd40fc ("net: stream:[EOL]purge sk_error_queue in sk_stream_kill_queues()") tried to fix it[EOL]by calling skb_queue_purge() during close().  However, there is a[EOL]small chance that skb queued in a qdisc or device could be put[EOL]into the error queue after the skb_queue_purge() call.[EOL][EOL]In __skb_tstamp_tx(), the cloned skb should not have a reference[EOL]to the ubuf to remove the circular dependency, but skb_clone() does[EOL]not call skb_copy_ubufs() for zerocopy skb.  So, we need to call[EOL]skb_orphan_frags_rx() for the cloned skb to call skb_copy_ubufs().[EOL][EOL][0]:[EOL]BUG: memory leak[EOL]unreferenced object 0xffff88800c6d2d00 (size 1152):[EOL]  comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s)[EOL]  hex dump (first 32 bytes):[EOL]    00 00 00 00 00 00 00 00 cd af e8 81 00 00 00 00  ................[EOL]    02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............[EOL]  backtrace:[EOL]    [<0000000055636812>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024[EOL]    [<0000000054d77b7a>] sk_alloc+0x3b/0x800 net/core/sock.c:2083[EOL]    [<0000000066f3c7e0>] inet_create net/ipv4/af_inet.c:319 [inline][EOL]    [<0000000066f3c7e0>] inet_create+0x31e/0xe40 net/ipv4/af_inet.c:245[EOL]    [<000000009b83af97>] __sock_create+0x2ab/0x550 net/socket.c:1515[EOL]    [<00000000b9b11231>] sock_create net/socket.c:1566 [inline][EOL]    [<00000000b9b11231>] __sys_socket_create net/socket.c:1603 [inline][EOL]    [<00000000b9b11231>] __sys_socket_create net/socket.c:1588 [inline][EOL]    [<00000000b9b11231>] __sys_socket+0x138/0x250 net/socket.c:1636[EOL]    [<000000004fb45142>] __do_sys_socket net/socket.c:1649 [inline][EOL]    [<000000004fb45142>] __se_sys_socket net/socket.c:1647 [inline][EOL]    [<000000004fb45142>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647[EOL]    [<0000000066999e0e>] do_syscall_x64 arch/x86/entry/common.c:50 [inline][EOL]    [<0000000066999e0e>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80[EOL]    [<0000000017f238c1>] entry_SYSCALL_64_after_hwframe+0x63/0xcd[EOL][EOL]BUG: memory leak[EOL]unreferenced object 0xffff888017633a00 (size 240):[EOL]  comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s)[EOL]  hex dump (first 32 bytes):[EOL]    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................[EOL]    00 00 00 00 00 00 00 00 00 2d 6d 0c 80 88 ff ff  .........-m.....[EOL]  backtrace:[EOL]    [<000000002b1c4368>] __alloc_skb+0x229/0x320 net/core/skbuff.c:497[EOL]    [<00000000143579a6>] alloc_skb include/linux/skbuff.h:1265 [inline][EOL]    [<00000000143579a6>] sock_omalloc+0xaa/0x190 net/core/sock.c:2596[EOL]    [<00000000be626478>] msg_zerocopy_alloc net/core/skbuff.c:1294 [inline][EOL]    [<00000000be626478>][EOL]---truncated---

CVEs

• CVE-2023-53489