{
  "threat_severity" : "Low",
  "public_date" : "2024-04-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mptcp: fix double-free on socket dismantle",
    "id" : "2273468",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2273468"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmptcp: fix double-free on socket dismantle\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\nBUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\nFree of addr ffff888485950880 by task swapper/25/0\nCPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\nHardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0  07/26/2013\nCall Trace:\n<IRQ>\ndump_stack_lvl+0x32/0x50\nprint_report+0xca/0x620\nkasan_report_invalid_free+0x64/0x90\n__kasan_slab_free+0x1aa/0x1f0\nkfree+0xed/0x2e0\ninet_sock_destruct+0x54f/0x8b0\n__sk_destruct+0x48/0x5b0\nrcu_do_batch+0x34e/0xd90\nrcu_core+0x559/0xac0\n__do_softirq+0x183/0x5a4\nirq_exit_rcu+0x12d/0x170\nsysvec_apic_timer_interrupt+0x6b/0x80\n</IRQ>\n<TASK>\nasm_sysvec_apic_timer_interrupt+0x16/0x20\nRIP: 0010:cpuidle_enter_state+0x175/0x300\nCode: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\nRSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\nRAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\nRDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\nRBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\nR10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\nR13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\ncpuidle_enter+0x4a/0xa0\ndo_idle+0x310/0x410\ncpu_startup_entry+0x51/0x60\nstart_secondary+0x211/0x270\nsecondary_startup_64_no_verify+0x184/0x18b\n</TASK>\nAllocated by task 6853:\nkasan_save_stack+0x1c/0x40\nkasan_save_track+0x10/0x30\n__kasan_kmalloc+0xa6/0xb0\n__kmalloc+0x1eb/0x450\ncipso_v4_sock_setattr+0x96/0x360\nnetlbl_sock_setattr+0x132/0x1f0\nselinux_netlbl_socket_post_create+0x6c/0x110\nselinux_socket_post_create+0x37b/0x7f0\nsecurity_socket_post_create+0x63/0xb0\n__sock_create+0x305/0x450\n__sys_socket_create.part.23+0xbd/0x130\n__sys_socket+0x37/0xb0\n__x64_sys_socket+0x6f/0xb0\ndo_syscall_64+0x83/0x160\nentry_SYSCALL_64_after_hwframe+0x6e/0x76\nFreed by task 6858:\nkasan_save_stack+0x1c/0x40\nkasan_save_track+0x10/0x30\nkasan_save_free_info+0x3b/0x60\n__kasan_slab_free+0x12c/0x1f0\nkfree+0xed/0x2e0\ninet_sock_destruct+0x54f/0x8b0\n__sk_destruct+0x48/0x5b0\nsubflow_ulp_release+0x1f0/0x250\ntcp_cleanup_ulp+0x6e/0x110\ntcp_v4_destroy_sock+0x5a/0x3a0\ninet_csk_destroy_sock+0x135/0x390\ntcp_fin+0x416/0x5c0\ntcp_data_queue+0x1bc8/0x4310\ntcp_rcv_state_process+0x15a3/0x47b0\ntcp_v4_do_rcv+0x2c1/0x990\ntcp_v4_rcv+0x41fb/0x5ed0\nip_protocol_deliver_rcu+0x6d/0x9f0\nip_local_deliver_finish+0x278/0x360\nip_local_deliver+0x182/0x2c0\nip_rcv+0xb5/0x1c0\n__netif_receive_skb_one_core+0x16e/0x1b0\nprocess_backlog+0x1e3/0x650\n__napi_poll+0xa6/0x500\nnet_rx_action+0x740/0xbb0\n__do_softirq+0x183/0x5a4\nThe buggy address belongs to the object at ffff888485950880\nwhich belongs to the cache kmalloc-64 of size 64\nThe buggy address is located 0 bytes inside of\n64-byte region [ffff888485950880, ffff8884859508c0)\nThe buggy address belongs to the physical page:\npage:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\nflags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\npage_type: 0xffffffff()\nraw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\nraw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\nffff888485950780: fa fb fb\n---truncated---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-06-05T00:00:00Z",
    "advisory" : "RHSA-2024:3618",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.5.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26782\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26782\nhttps://lore.kernel.org/linux-cve-announce/2024040458-CVE-2024-26782-71ca@gregkh/T" ],
  "name" : "CVE-2024-26782",
  "csaw" : false
}