Assigner: | Linux |
Reserved: | 2024-06-21 |
Published: | 2024-06-21 |
Updated: | 2024-06-21 |
Description
In the Linux kernel, the following vulnerability has been resolved: tls: fix missing memory barrier in tls_init In tls_init(), a write memory barrier is missing, and store-store reordering may cause NULL dereference in tls_{setsockopt,getsockopt}. CPU0 CPU1 ----- ----- // In tls_init() // In tls_ctx_create() ctx = kzalloc() ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1) // In update_sk_prot() WRITE_ONCE(sk->sk_prot, tls_prots) -(2) // In sock_common_setsockopt() READ_ONCE(sk->sk_prot)->setsockopt() // In tls_{setsockopt,getsockopt}() ctx->sk_proto->setsockopt() -(3) In the above scenario, when (1) and (2) are reordered, (3) can observe the NULL value of ctx->sk_proto, causing NULL dereference. To fix it, we rely on rcu_assign_pointer() which implies the release barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is initialized, we can ensure that ctx->sk_proto are visible when changing sk->sk_prot.
Product status
d5bee7374b68 before d72e126e9a36
d5bee7374b68 before 2c260a24cf1c
d5bee7374b68 before 335c8f1566d8
d5bee7374b68 before ab67c2fd3d07
d5bee7374b68 before ef21007a7b58
d5bee7374b68 before 91e61dd7a0af
5.7
Any version before 5.7
5.10.219
5.15.161
6.1.93
6.6.33
6.9.4
6.10-rc1
References
https://git.kernel.org/stable/c/d72e126e9a36d3d33889829df8fc90100bb0e071
https://git.kernel.org/stable/c/2c260a24cf1c4d30ea3646124f766ee46169280b
https://git.kernel.org/stable/c/335c8f1566d8e44c384d16b450a18554896d4e8b
https://git.kernel.org/stable/c/ab67c2fd3d070a21914d0c31319d3858ab4e199c
https://git.kernel.org/stable/c/ef21007a7b581c7fe64d5a10c320880a033c837b
https://git.kernel.org/stable/c/91e61dd7a0af660408e87372d8330ceb218be302