In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible from TCP ehash table and other cpus might use it. Since newinet->pinet6 is still pointing to the listener ipv6_pinfo bad things can happen as syzbot found. Move the problematic code in tcp_v6_mapped_child_init() and call this new helper from tcp_v4_syn_recv_sock() before the ehash insertion. This allows the removal of one tcp_sync_mss(), since tcp_v4_syn_recv_sock() will call it with the correct context.
After calling tcp_v4_syn_recv_sock(), the newly created child socket is immediately visible in the TCP ehash table and can be used by other processors (CPUs). The problem is that the newinet->pinet6 field still points to the ipv6_pinfo structure of the listening socket, instead of the properly initialized child socket structure. The code initializing this field was executed too late — after other threads could access the socket. The fix moves the problematic code to a new helper function tcp_v6_mapped_child_init(), called by tcp_v4_syn_recv_sock() before inserting the socket into the ehash table.
An attacker or race condition may lead to kernel memory corruption, which in turn may result in data disclosure, unauthorized modification of system state, or its unavailability (crash).
Patches available from the vendor should be applied according to references: commits 7178e2a8, 858d2a4f, and fe89b2f0 in the Linux kernel stable repository (git.kernel.org).
Linux kernel — versions indicated in vendor references (patches available in the stable kernel.org repository).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinux Kernel
OSLinux2.6.127.02.6.12.1 – 6.18.16 (bez)6.19 – 6.19.6 (bez)
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...