cvelistv5 - cve-2022-49775

cve-2022-49775

Vulnerability from cvelistv5

Published

2025-05-01 14:09

Modified

2025-05-01 14:09

Severity ?

Summary

tcp: cdg: allow tcp_cdg_release() to be called multiple times

References

▼	URL	Tags
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/0b19171439016a8e4c97eafe543670ac86e2b8fe
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/1b639be27cbf428a5ca01dcf8b5d654194c956f8
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/35309be06b6feded2ab2cafbc2bca8534c2fa41e
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/4026033907cc6186d86b48daa4a252c860db2536
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/72e560cb8c6f80fc2b4afc5d3634a32465e13a51
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/78be2ee0112409ae4e9ee9e326151e0559b3d239
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/9e481d87349d2282f400ee1d010a169c99f766b8
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/b49026d9c86f35a4c5bfb8d7345c9c4379828c6b

Impacted products

▼	Vendor	Product
	Linux	Linux
	Linux	Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_cdg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0b19171439016a8e4c97eafe543670ac86e2b8fe",
              "status": "affected",
              "version": "2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e",
              "versionType": "git"
            },
            {
              "lessThan": "4026033907cc6186d86b48daa4a252c860db2536",
              "status": "affected",
              "version": "2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e",
              "versionType": "git"
            },
            {
              "lessThan": "9e481d87349d2282f400ee1d010a169c99f766b8",
              "status": "affected",
              "version": "2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e",
              "versionType": "git"
            },
            {
              "lessThan": "78be2ee0112409ae4e9ee9e326151e0559b3d239",
              "status": "affected",
              "version": "2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e",
              "versionType": "git"
            },
            {
              "lessThan": "35309be06b6feded2ab2cafbc2bca8534c2fa41e",
              "status": "affected",
              "version": "2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e",
              "versionType": "git"
            },
            {
              "lessThan": "b49026d9c86f35a4c5bfb8d7345c9c4379828c6b",
              "status": "affected",
              "version": "2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e",
              "versionType": "git"
            },
            {
              "lessThan": "1b639be27cbf428a5ca01dcf8b5d654194c956f8",
              "status": "affected",
              "version": "2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e",
              "versionType": "git"
            },
            {
              "lessThan": "72e560cb8c6f80fc2b4afc5d3634a32465e13a51",
              "status": "affected",
              "version": "2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_cdg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.334",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.300",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.267",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.225",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: cdg: allow tcp_cdg_release() to be called multiple times\n\nApparently, mptcp is able to call tcp_disconnect() on an already\ndisconnected flow. This is generally fine, unless current congestion\ncontrol is CDG, because it might trigger a double-free [1]\n\nInstead of fixing MPTCP, and future bugs, we can make tcp_disconnect()\nmore resilient.\n\n[1]\nBUG: KASAN: double-free in slab_free mm/slub.c:3539 [inline]\nBUG: KASAN: double-free in kfree+0xe2/0x580 mm/slub.c:4567\n\nCPU: 0 PID: 3645 Comm: kworker/0:7 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nWorkqueue: events mptcp_worker\nCall Trace:\n\u003cTASK\u003e\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:317 [inline]\nprint_report.cold+0x2ba/0x719 mm/kasan/report.c:433\nkasan_report_invalid_free+0x81/0x190 mm/kasan/report.c:462\n____kasan_slab_free+0x18b/0x1c0 mm/kasan/common.c:356\nkasan_slab_free include/linux/kasan.h:200 [inline]\nslab_free_hook mm/slub.c:1759 [inline]\nslab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785\nslab_free mm/slub.c:3539 [inline]\nkfree+0xe2/0x580 mm/slub.c:4567\ntcp_disconnect+0x980/0x1e20 net/ipv4/tcp.c:3145\n__mptcp_close_ssk+0x5ca/0x7e0 net/mptcp/protocol.c:2327\nmptcp_do_fastclose net/mptcp/protocol.c:2592 [inline]\nmptcp_worker+0x78c/0xff0 net/mptcp/protocol.c:2627\nprocess_one_work+0x991/0x1610 kernel/workqueue.c:2289\nworker_thread+0x665/0x1080 kernel/workqueue.c:2436\nkthread+0x2e4/0x3a0 kernel/kthread.c:376\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n\u003c/TASK\u003e\n\nAllocated by task 3671:\nkasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\nkasan_set_track mm/kasan/common.c:45 [inline]\nset_alloc_info mm/kasan/common.c:437 [inline]\n____kasan_kmalloc mm/kasan/common.c:516 [inline]\n____kasan_kmalloc mm/kasan/common.c:475 [inline]\n__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525\nkmalloc_array include/linux/slab.h:640 [inline]\nkcalloc include/linux/slab.h:671 [inline]\ntcp_cdg_init+0x10d/0x170 net/ipv4/tcp_cdg.c:380\ntcp_init_congestion_control+0xab/0x550 net/ipv4/tcp_cong.c:193\ntcp_reinit_congestion_control net/ipv4/tcp_cong.c:217 [inline]\ntcp_set_congestion_control+0x96c/0xaa0 net/ipv4/tcp_cong.c:391\ndo_tcp_setsockopt+0x505/0x2320 net/ipv4/tcp.c:3513\ntcp_setsockopt+0xd4/0x100 net/ipv4/tcp.c:3801\nmptcp_setsockopt+0x35f/0x2570 net/mptcp/sockopt.c:844\n__sys_setsockopt+0x2d6/0x690 net/socket.c:2252\n__do_sys_setsockopt net/socket.c:2263 [inline]\n__se_sys_setsockopt net/socket.c:2260 [inline]\n__x64_sys_setsockopt+0xba/0x150 net/socket.c:2260\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFreed by task 16:\nkasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\nkasan_set_track+0x21/0x30 mm/kasan/common.c:45\nkasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370\n____kasan_slab_free mm/kasan/common.c:367 [inline]\n____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329\nkasan_slab_free include/linux/kasan.h:200 [inline]\nslab_free_hook mm/slub.c:1759 [inline]\nslab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785\nslab_free mm/slub.c:3539 [inline]\nkfree+0xe2/0x580 mm/slub.c:4567\ntcp_cleanup_congestion_control+0x70/0x120 net/ipv4/tcp_cong.c:226\ntcp_v4_destroy_sock+0xdd/0x750 net/ipv4/tcp_ipv4.c:2254\ntcp_v6_destroy_sock+0x11/0x20 net/ipv6/tcp_ipv6.c:1969\ninet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1157\ntcp_done+0x23b/0x340 net/ipv4/tcp.c:4649\ntcp_rcv_state_process+0x40e7/0x4990 net/ipv4/tcp_input.c:6624\ntcp_v6_do_rcv+0x3fc/0x13c0 net/ipv6/tcp_ipv6.c:1525\ntcp_v6_rcv+0x2e8e/0x3830 net/ipv6/tcp_ipv6.c:1759\nip6_protocol_deliver_rcu+0x2db/0x1950 net/ipv6/ip6_input.c:439\nip6_input_finish+0x14c/0x2c0 net/ipv6/ip6_input.c:484\nNF_HOOK include/linux/netfilter.h:302 [inline]\nNF_HOOK include/linux/netfilter.h:296 [inline]\nip6_input+0x9c/0xd\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-01T14:09:11.827Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0b19171439016a8e4c97eafe543670ac86e2b8fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/4026033907cc6186d86b48daa4a252c860db2536"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e481d87349d2282f400ee1d010a169c99f766b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/78be2ee0112409ae4e9ee9e326151e0559b3d239"
        },
        {
          "url": "https://git.kernel.org/stable/c/35309be06b6feded2ab2cafbc2bca8534c2fa41e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b49026d9c86f35a4c5bfb8d7345c9c4379828c6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b639be27cbf428a5ca01dcf8b5d654194c956f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/72e560cb8c6f80fc2b4afc5d3634a32465e13a51"
        }
      ],
      "title": "tcp: cdg: allow tcp_cdg_release() to be called multiple times",
      "x_generator": {
        "engine": "bippy-1.1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49775",
    "datePublished": "2025-05-01T14:09:11.827Z",
    "dateReserved": "2025-04-16T07:17:33.805Z",
    "dateUpdated": "2025-05-01T14:09:11.827Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-49775\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-01T15:16:00.650\",\"lastModified\":\"2025-05-02T13:53:20.943\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: cdg: allow tcp_cdg_release() to be called multiple times\\n\\nApparently, mptcp is able to call tcp_disconnect() on an already\\ndisconnected flow. This is generally fine, unless current congestion\\ncontrol is CDG, because it might trigger a double-free [1]\\n\\nInstead of fixing MPTCP, and future bugs, we can make tcp_disconnect()\\nmore resilient.\\n\\n[1]\\nBUG: KASAN: double-free in slab_free mm/slub.c:3539 [inline]\\nBUG: KASAN: double-free in kfree+0xe2/0x580 mm/slub.c:4567\\n\\nCPU: 0 PID: 3645 Comm: kworker/0:7 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\\nWorkqueue: events mptcp_worker\\nCall Trace:\\n\u003cTASK\u003e\\n__dump_stack lib/dump_stack.c:88 [inline]\\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\\nprint_address_description mm/kasan/report.c:317 [inline]\\nprint_report.cold+0x2ba/0x719 mm/kasan/report.c:433\\nkasan_report_invalid_free+0x81/0x190 mm/kasan/report.c:462\\n____kasan_slab_free+0x18b/0x1c0 mm/kasan/common.c:356\\nkasan_slab_free include/linux/kasan.h:200 [inline]\\nslab_free_hook mm/slub.c:1759 [inline]\\nslab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785\\nslab_free mm/slub.c:3539 [inline]\\nkfree+0xe2/0x580 mm/slub.c:4567\\ntcp_disconnect+0x980/0x1e20 net/ipv4/tcp.c:3145\\n__mptcp_close_ssk+0x5ca/0x7e0 net/mptcp/protocol.c:2327\\nmptcp_do_fastclose net/mptcp/protocol.c:2592 [inline]\\nmptcp_worker+0x78c/0xff0 net/mptcp/protocol.c:2627\\nprocess_one_work+0x991/0x1610 kernel/workqueue.c:2289\\nworker_thread+0x665/0x1080 kernel/workqueue.c:2436\\nkthread+0x2e4/0x3a0 kernel/kthread.c:376\\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\\n\u003c/TASK\u003e\\n\\nAllocated by task 3671:\\nkasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\\nkasan_set_track mm/kasan/common.c:45 [inline]\\nset_alloc_info mm/kasan/common.c:437 [inline]\\n____kasan_kmalloc mm/kasan/common.c:516 [inline]\\n____kasan_kmalloc mm/kasan/common.c:475 [inline]\\n__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525\\nkmalloc_array include/linux/slab.h:640 [inline]\\nkcalloc include/linux/slab.h:671 [inline]\\ntcp_cdg_init+0x10d/0x170 net/ipv4/tcp_cdg.c:380\\ntcp_init_congestion_control+0xab/0x550 net/ipv4/tcp_cong.c:193\\ntcp_reinit_congestion_control net/ipv4/tcp_cong.c:217 [inline]\\ntcp_set_congestion_control+0x96c/0xaa0 net/ipv4/tcp_cong.c:391\\ndo_tcp_setsockopt+0x505/0x2320 net/ipv4/tcp.c:3513\\ntcp_setsockopt+0xd4/0x100 net/ipv4/tcp.c:3801\\nmptcp_setsockopt+0x35f/0x2570 net/mptcp/sockopt.c:844\\n__sys_setsockopt+0x2d6/0x690 net/socket.c:2252\\n__do_sys_setsockopt net/socket.c:2263 [inline]\\n__se_sys_setsockopt net/socket.c:2260 [inline]\\n__x64_sys_setsockopt+0xba/0x150 net/socket.c:2260\\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nFreed by task 16:\\nkasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\\nkasan_set_track+0x21/0x30 mm/kasan/common.c:45\\nkasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370\\n____kasan_slab_free mm/kasan/common.c:367 [inline]\\n____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329\\nkasan_slab_free include/linux/kasan.h:200 [inline]\\nslab_free_hook mm/slub.c:1759 [inline]\\nslab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785\\nslab_free mm/slub.c:3539 [inline]\\nkfree+0xe2/0x580 mm/slub.c:4567\\ntcp_cleanup_congestion_control+0x70/0x120 net/ipv4/tcp_cong.c:226\\ntcp_v4_destroy_sock+0xdd/0x750 net/ipv4/tcp_ipv4.c:2254\\ntcp_v6_destroy_sock+0x11/0x20 net/ipv6/tcp_ipv6.c:1969\\ninet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1157\\ntcp_done+0x23b/0x340 net/ipv4/tcp.c:4649\\ntcp_rcv_state_process+0x40e7/0x4990 net/ipv4/tcp_input.c:6624\\ntcp_v6_do_rcv+0x3fc/0x13c0 net/ipv6/tcp_ipv6.c:1525\\ntcp_v6_rcv+0x2e8e/0x3830 net/ipv6/tcp_ipv6.c:1759\\nip6_protocol_deliver_rcu+0x2db/0x1950 net/ipv6/ip6_input.c:439\\nip6_input_finish+0x14c/0x2c0 net/ipv6/ip6_input.c:484\\nNF_HOOK include/linux/netfilter.h:302 [inline]\\nNF_HOOK include/linux/netfilter.h:296 [inline]\\nip6_input+0x9c/0xd\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp:cdg: permite llamar a tcp_cdg_release() varias veces. Aparentemente, mptcp puede llamar a tcp_disconnect() en un flujo ya desconectado. Esto generalmente funciona bien, a menos que el control de congesti\u00f3n actual sea CDG, ya que podr\u00eda desencadenar una doble liberaci\u00f3n [1]. En lugar de corregir MPTCP y futuros errores, podemos hacer que tcp_disconnect() sea m\u00e1s resistente. [1] ERROR: KASAN: doble liberaci\u00f3n en slab_free mm/slub.c:3539 [en l\u00ednea] ERROR: KASAN: doble liberaci\u00f3n en kfree+0xe2/0x580 mm/slub.c:4567 CPU: 0 PID: 3645 Comm: kworker/0:7 No contaminado 6.0.0-syzkaller-02734-g0326074ff465 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 22/09/2022 Cola de trabajo: eventos mptcp_worker Rastreo de llamadas:  __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report_invalid_free+0x81/0x190 mm/kasan/report.c:462 ____kasan_slab_free+0x18b/0x1c0 mm/kasan/common.c:356 kasan_slab_free include/linux/kasan.h:200 [inline] slab_free_hook mm/slub.c:1759 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785 slab_free mm/slub.c:3539 [inline] kfree+0xe2/0x580 mm/slub.c:4567 tcp_disconnect+0x980/0x1e20 net/ipv4/tcp.c:3145 __mptcp_close_ssk+0x5ca/0x7e0 net/mptcp/protocol.c:2327 mptcp_do_fastclose net/mptcp/protocol.c:2592 [inline] mptcp_worker+0x78c/0xff0 net/mptcp/protocol.c:2627 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306  Allocated by task 3671: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:437 [inline] ____kasan_kmalloc mm/kasan/common.c:516 [inline] ____kasan_kmalloc mm/kasan/common.c:475 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525 kmalloc_array include/linux/slab.h:640 [inline] kcalloc include/linux/slab.h:671 [inline] tcp_cdg_init+0x10d/0x170 net/ipv4/tcp_cdg.c:380 tcp_init_congestion_control+0xab/0x550 net/ipv4/tcp_cong.c:193 tcp_reinit_congestion_control net/ipv4/tcp_cong.c:217 [inline] tcp_set_congestion_control+0x96c/0xaa0 net/ipv4/tcp_cong.c:391 do_tcp_setsockopt+0x505/0x2320 net/ipv4/tcp.c:3513 tcp_setsockopt+0xd4/0x100 net/ipv4/tcp.c:3801 mptcp_setsockopt+0x35f/0x2570 net/mptcp/sockopt.c:844 __sys_setsockopt+0x2d6/0x690 net/socket.c:2252 __do_sys_setsockopt net/socket.c:2263 [inline] __se_sys_setsockopt net/socket.c:2260 [inline] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2260 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 16: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:367 [inline] ____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329 kasan_slab_free include/linux/kasan.h:200 [inline] slab_free_hook mm/slub.c:1759 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785 slab_free mm/slub.c:3539 [inline] kfree+0xe2/0x580 mm/slub.c:4567 tcp_cleanup_congestion_control+0x70/0x120 net/ipv4/tcp_cong.c:226 tcp_v4_destroy_sock+0xdd/0x750 net/ipv4/tcp_ipv4.c:2254 tcp_v6_destroy_sock+0x11/0x20 net/ipv6/tcp_ipv6.c:1969 inet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1157 tcp_done+0x23b/0x340 net/ipv4/tcp.c:4649 tcp_rcv_state_process+0x40e7/0x4990 net/ipv4/tcp_input.c:6624 tcp_v6_do_rcv+0x3fc/0x13c0 net/ipv6/tcp_ipv6.c:1525 tcp_v6_rcv+0x2e8e/0x3830 net/ipv6/tcp_ipv6.c:1759 ip6_protocol_deliver_rcu+0x2db/0x1950 net/ipv6/ip6_input.c:439 ip6_input_finish+0x14c/0x2c0 net/ipv6/ip6_input.c:484 NF_HOOK include/linux/netfilter.h:302 [inline] NF_HOOK include/linux/netfilter.h:296 [inline] ip6_input+0x9c/0xd ---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0b19171439016a8e4c97eafe543670ac86e2b8fe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1b639be27cbf428a5ca01dcf8b5d654194c956f8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/35309be06b6feded2ab2cafbc2bca8534c2fa41e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4026033907cc6186d86b48daa4a252c860db2536\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/72e560cb8c6f80fc2b4afc5d3634a32465e13a51\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/78be2ee0112409ae4e9ee9e326151e0559b3d239\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9e481d87349d2282f400ee1d010a169c99f766b8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b49026d9c86f35a4c5bfb8d7345c9c4379828c6b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}

ghsa-52wf-qx53-m2m5

Vulnerability from github

Published

2025-05-01 15:31

Modified

2025-05-01 15:31

Details

In the Linux kernel, the following vulnerability has been resolved:

tcp: cdg: allow tcp_cdg_release() to be called multiple times

Apparently, mptcp is able to call tcp_disconnect() on an already disconnected flow. This is generally fine, unless current congestion control is CDG, because it might trigger a double-free [1]

Instead of fixing MPTCP, and future bugs, we can make tcp_disconnect() more resilient.

[1] BUG: KASAN: double-free in slab_free mm/slub.c:3539 [inline] BUG: KASAN: double-free in kfree+0xe2/0x580 mm/slub.c:4567

CPU: 0 PID: 3645 Comm: kworker/0:7 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Workqueue: events mptcp_worker Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report_invalid_free+0x81/0x190 mm/kasan/report.c:462 _kasanslab_free+0x18b/0x1c0 mm/kasan/common.c:356 kasan_slab_free include/linux/kasan.h:200 [inline] slab_free_hook mm/slub.c:1759 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785 slab_free mm/slub.c:3539 [inline] kfree+0xe2/0x580 mm/slub.c:4567 tcp_disconnect+0x980/0x1e20 net/ipv4/tcp.c:3145 mptcp_close_ssk+0x5ca/0x7e0 net/mptcp/protocol.c:2327 mptcp_do_fastclose net/mptcp/protocol.c:2592 [inline] mptcp_worker+0x78c/0xff0 net/mptcp/protocol.c:2627 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Allocated by task 3671: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:437 [inline] _kasankmalloc mm/kasan/common.c:516 [inline] __kasan_kmalloc mm/kasan/common.c:475 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525 kmalloc_array include/linux/slab.h:640 [inline] kcalloc include/linux/slab.h:671 [inline] tcp_cdg_init+0x10d/0x170 net/ipv4/tcp_cdg.c:380 tcp_init_congestion_control+0xab/0x550 net/ipv4/tcp_cong.c:193 tcp_reinit_congestion_control net/ipv4/tcp_cong.c:217 [inline] tcp_set_congestion_control+0x96c/0xaa0 net/ipv4/tcp_cong.c:391 do_tcp_setsockopt+0x505/0x2320 net/ipv4/tcp.c:3513 tcp_setsockopt+0xd4/0x100 net/ipv4/tcp.c:3801 mptcp_setsockopt+0x35f/0x2570 net/mptcp/sockopt.c:844 __sys_setsockopt+0x2d6/0x690 net/socket.c:2252 __do_sys_setsockopt net/socket.c:2263 [inline] __se_sys_setsockopt net/socket.c:2260 [inline] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2260 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 16: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 _kasanslab_free mm/kasan/common.c:367 [inline] __kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329 kasan_slab_free include/linux/kasan.h:200 [inline] slab_free_hook mm/slub.c:1759 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785 slab_free mm/slub.c:3539 [inline] kfree+0xe2/0x580 mm/slub.c:4567 tcp_cleanup_congestion_control+0x70/0x120 net/ipv4/tcp_cong.c:226 tcp_v4_destroy_sock+0xdd/0x750 net/ipv4/tcp_ipv4.c:2254 tcp_v6_destroy_sock+0x11/0x20 net/ipv6/tcp_ipv6.c:1969 inet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1157 tcp_done+0x23b/0x340 net/ipv4/tcp.c:4649 tcp_rcv_state_process+0x40e7/0x4990 net/ipv4/tcp_input.c:6624 tcp_v6_do_rcv+0x3fc/0x13c0 net/ipv6/tcp_ipv6.c:1525 tcp_v6_rcv+0x2e8e/0x3830 net/ipv6/tcp_ipv6.c:1759 ip6_protocol_deliver_rcu+0x2db/0x1950 net/ipv6/ip6_input.c:439 ip6_input_finish+0x14c/0x2c0 net/ipv6/ip6_input.c:484 NF_HOOK include/linux/netfilter.h:302 [inline] NF_HOOK include/linux/netfilter.h:296 [inline] ip6_input+0x9c/0xd ---truncated---

Show details on source website