In the Linux kernel, the following vulnerability has been resolved:
atm: lec: fix use-after-free in sock_def_readable()
A race condition exists between lec_atm_close() setting priv->lecd
to NULL and concurrent access to priv->lecd in send_to_lecd(),
lec_handle_bridge(), and lec_atm_send(). When the socket is freed
via RCU while another thread is still using it, a use-after-free
occurs in sock_def_readable() when accessing the socket's wait queue.
The root cause is that lec_atm_close() clears priv->lecd without
any synchronization, while callers dereference priv->lecd without
any protection against concurrent teardown.
Fix this by converting priv->lecd to an RCU-protected pointer:
- Mark priv->lecd as __rcu in lec.h
- Use rcu_assign_pointer() in lec_atm_close() and lecd_attach()
for safe pointer assignment
- Use rcu_access_pointer() for NULL checks that do not dereference
the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and
lecd_attach()
- Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(),
lec_handle_bridge() and lec_atm_send() to safely access lecd
- Use rcu_assign_pointer() followed by synchronize_rcu() in
lec_atm_close() to ensure all readers have completed before
proceeding. This is safe since lec_atm_close() is called from
vcc_release() which holds lock_sock(), a sleeping lock.
- Remove the manual sk_receive_queue drain from lec_atm_close()
since vcc_destroy_socket() already drains it after lec_atm_close()
returns.
v2: Switch from spinlock + sock_hold/put approach to RCU to properly
fix the race. The v1 spinlock approach had two issues pointed out
by Eric Dumazet:
1. priv->lecd was still accessed directly after releasing the
lock instead of using a local copy.
2. The spinlock did not prevent packets being queued after
lec_atm_close() drains sk_receive_queue since timer and
workqueue paths bypass netif_stop_queue().
Note: Syzbot patch testing was attempted but the test VM terminated
unexpectedly with "Connection to localhost closed by remote host",
likely due to a QEMU AHCI emulation issue unrelated to this fix.
Compile testing with "make W=1 net/atm/lec.o" passes cleanly.
A use-after-free vulnerability exists in the Linux kernel's ATM LEC module due to a race condition between socket closure and concurrent access to the lecd pointer. The vulnerability occurs when priv->lecd is cleared without synchronization, causing potential crashes in sock_def_readable() when the socket is freed via RCU.
تتعلق هذه الثغرة بحالة تسابق في وحدة ATM LEC بنواة لينكس حيث يتم مسح المؤشر priv->lecd دون تزامن مناسب. يمكن أن يؤدي هذا إلى استخدام الذاكرة بعد تحررها عند وصول خيوط متزامنة إلى المؤشر المحرر.
A use-after-free vulnerability in Linux kernel ATM LEC module allows race conditions between socket closure and concurrent access. This can lead to kernel crashes when the lecd pointer is accessed after being freed without proper synchronization.
Update the Linux kernel to the patched version that implements RCU-protected pointer handling for priv->lecd. Apply the fix that converts priv->lecd to use rcu_assign_pointer() and rcu_access_pointer() for proper synchronization. Ensure kernel version is updated to include this ATM LEC race condition fix.
قم بتحديث نواة لينكس إلى الإصدار المصحح الذي ينفذ معالجة المؤشرات المحمية بـ RCU لـ priv->lecd. طبق الإصلاح الذي يحول priv->lecd لاستخدام rcu_assign_pointer() و rcu_access_pointer() للمزامنة الصحيحة. تأكد من تحديث إصدار النواة ليشمل هذا الإصلاح.