Description
In the Linux kernel, the following vulnerability has been resolved: net/handshake: duplicate handshake cancellations leak socket When a handshake request is cancelled it is removed from the handshake_net->hn_requests list, but it is still present in the handshake_rhashtbl until it is destroyed. If a second cancellation request arrives for the same handshake request, then remove_pending() will return false... and assuming HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue processing through the out_true label, where we put another reference on the sock and a refcount underflow occurs. This can happen for example if a handshake times out - particularly if the SUNRPC client sends the AUTH_TLS probe to the server but doesn't follow it up with the ClientHello due to a problem with tlshd. When the timeout is hit on the server, the server will send a FIN, which triggers a cancellation request via xs_reset_transport(). When the timeout is hit on the client, another cancellation request happens via xs_tls_handshake_sync(). Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel path so duplicate cancels can be detected.
Product status
3b3009ea8abb713b022d94fba95ec270cf6e7eae (git) before 011ae80c49d9bfa5b4336f8bd387cd25c7593663
3b3009ea8abb713b022d94fba95ec270cf6e7eae (git) before e1641177e7fb48a0a5a06658d4aab51da6656659
3b3009ea8abb713b022d94fba95ec270cf6e7eae (git) before 3c330f1dee3cd92b57e19b9d21dc8ce5970b09be
3b3009ea8abb713b022d94fba95ec270cf6e7eae (git) before 15564bd67e2975002f2a8e9defee33e321d3183f
6.4
Any version before 6.4
6.6.120 (semver)
6.12.64 (semver)
6.18.3 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/011ae80c49d9bfa5b4336f8bd387cd25c7593663
git.kernel.org/...c/e1641177e7fb48a0a5a06658d4aab51da6656659
git.kernel.org/...c/3c330f1dee3cd92b57e19b9d21dc8ce5970b09be
git.kernel.org/...c/15564bd67e2975002f2a8e9defee33e321d3183f