"Kernel Warn in af_inet" in Linux Kernel Version 2.6.26

From: cheung wall
Date: Sun Dec 01 2024 - 23:31:17 EST


Hello,

I am writing to report a potential vulnerability identified in the
Linux Kernel version 2.6.26.
This issue was discovered using our custom vulnerability discovery
tool.

Affected File:

File: net/ipv4/af_inet.c

Detailed call trace:

[ 1788.473836] KERNEL: assertion (!atomic_read(&sk->sk_wmem_alloc))
failed at net/ipv4/af_inet.c (155)
[ 1788.473836] KERNEL: assertion (!sk->sk_wmem_queued) failed at
net/ipv4/af_inet.c (156)
[ 1788.473836] KERNEL: assertion (!sk->sk_forward_alloc) failed at
net/ipv4/af_inet.c (157)
[ 1788.473836] KERNEL: assertion (!atomic_read(&sk->sk_wmem_alloc))
failed at net/ipv4/af_inet.c (155)
[ 1788.473836] KERNEL: assertion (!sk->sk_wmem_queued) failed at
net/ipv4/af_inet.c (156)
[ 1788.473862] KERNEL: assertion (!sk->sk_forward_alloc) failed at
net/ipv4/af_inet.c (157)

Repro C Source Code: https://pastebin.com/qs5y6Bcy

Root Cause:

The root cause of this bug lies in the improper handling of socket
write memory management in the IPv4 stack, specifically in the
assertions within net/ipv4/af_inet.c. The PoC triggers a sequence of
socket operations, including socket, sendto, listen, and accept, with
crafted input data and parameters. These operations result in
inconsistent states of the sock structure, where critical fields like
sk_wmem_alloc, sk_wmem_queued, and sk_forward_alloc are not properly
cleared or synchronized. The kernel fails to maintain the expected
invariants for these fields, leading to assertion failures that
indicate a logical inconsistency in memory allocation or deallocation
for socket operations. This issue highlights a potential lack of
proper cleanup or state transition checks in the network stack.

Thank you for your time and attention.

Best regards

Wall