CVE-2024-36904

一、漏洞信息
 漏洞编号：[CVE-2024-36904](https://nvd.nist.gov/vuln/detail/CVE-2024-36904)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
 CVSS V2.0分值：
  BaseScore：0.0 None
  Vector：CVSS：2.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique()with nice analysis.Since commit ec94c2696f0b ( tcp/dccp: avoid one atomic operation fortimewait hashdance ), inet_twsk_hashdance() sets TIME-WAIT socket ssk_refcnt after putting it into ehash and releasing the bucket lock.Thus, there is a small race window where other threads could try toreuse the port during connect() and call sock_hold() in tcp_twsk_unique()for the TIME-WAIT socket with zero refcnt.If that happens, the refcnt taken by tcp_twsk_unique() is overwrittenand sock_put() will cause underflow, triggering a real use-after-freesomewhere else.To avoid the use-after-free, we need to use refcount_inc_not_zero() intcp_twsk_unique() and give up on reusing the port if it returns false.[0]:refcount_t: addition on 0; use-after-free.WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023RIP: 0010:refcount_warn_saturate+0xe5/0x110Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0FS:  00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0PKRU: 55555554Call Trace: <TASK> ? refcount_warn_saturate+0xe5/0x110 ? __warn+0x81/0x130 ? refcount_warn_saturate+0xe5/0x110 ? report_bug+0x171/0x1a0 ? refcount_warn_saturate+0xe5/0x110 ? handle_bug+0x3c/0x80 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? refcount_warn_saturate+0xe5/0x110 tcp_twsk_unique+0x186/0x190 __inet_check_established+0x176/0x2d0 __inet_hash_connect+0x74/0x7d0 ? __pfx___inet_check_established+0x10/0x10 tcp_v4_connect+0x278/0x530 __inet_stream_connect+0x10f/0x3d0 inet_stream_connect+0x3a/0x60 __sys_connect+0xa8/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0x83/0x170 entry_SYSCALL_64_after_hwframe+0x78/0x80RIP: 0033:0x7f62c11a885dCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002aRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885dRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0 </TASK>
 漏洞公开时间：2024-05-31 00:15:13
 漏洞创建时间：2024-06-01 05:49:25
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-36904
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-36904 | https://bugzilla.suse.com/show_bug.cgi?id=1225732 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-36904.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1225732 |
| suse_bugzilla | https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9 | https://bugzilla.suse.com/show_bug.cgi?id=1225732 |
| suse_bugzilla | https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3 | https://bugzilla.suse.com/show_bug.cgi?id=1225732 |
| suse_bugzilla | https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34 | https://bugzilla.suse.com/show_bug.cgi?id=1225732 |
| suse_bugzilla | https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8 | https://bugzilla.suse.com/show_bug.cgi?id=1225732 |
| suse_bugzilla | https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446 | https://bugzilla.suse.com/show_bug.cgi?id=1225732 |
| suse_bugzilla | https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc | https://bugzilla.suse.com/show_bug.cgi?id=1225732 |
| suse_bugzilla | https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc | https://bugzilla.suse.com/show_bug.cgi?id=1225732 |
| suse_bugzilla | https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e | https://bugzilla.suse.com/show_bug.cgi?id=1225732 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-36904 | https://bugzilla.suse.com/show_bug.cgi?id=1225732 |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024053036-CVE-2024-36904-2273@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2284541 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:4583 | https://bugzilla.redhat.com/show_bug.cgi?id=2284541 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:4823 | https://bugzilla.redhat.com/show_bug.cgi?id=2284541 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:4831 | https://bugzilla.redhat.com/show_bug.cgi?id=2284541 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:5102 | https://bugzilla.redhat.com/show_bug.cgi?id=2284541 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:5101 | https://bugzilla.redhat.com/show_bug.cgi?id=2284541 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:5692 | https://bugzilla.redhat.com/show_bug.cgi?id=2284541 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:6206 | https://bugzilla.redhat.com/show_bug.cgi?id=2284541 |
| ubuntu | https://www.cve.org/CVERecord?id=CVE-2024-36904 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://git.kernel.org/linus/f2db7230f73a80dbb179deab78f88a7947f0ab7e (6.9) | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6949-1 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6950-1 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6951-1 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6952-1 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6953-1 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6955-1 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6956-1 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6957-1 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6950-2 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6950-3 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6949-2 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6952-2 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6951-2 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6951-3 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6950-4 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://ubuntu.com/security/notices/USN-6951-4 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://nvd.nist.gov/vuln/detail/CVE-2024-36904 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://launchpad.net/bugs/cve/CVE-2024-36904 | https://ubuntu.com/security/CVE-2024-36904 |
| ubuntu | https://security-tracker.debian.org/tracker/CVE-2024-36904 | https://ubuntu.com/security/CVE-2024-36904 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-36904 |
| anolis |  | https://anas.openanolis.cn/cves/detail/CVE-2024-36904 |
| mageia |  | http://advisories.mageia.org/MGASA-2024-0263.html |
| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2024-36904 | https://explore.alas.aws.amazon.com/CVE-2024-36904.html |
| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36904 | https://explore.alas.aws.amazon.com/CVE-2024-36904.html |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  其它
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
| linux |  | https://git.kernel.org/linus/f2db7230f73a80dbb179deab78f88a7947f0ab7e | https://git.kernel.org/linus/ec94c2696f0bcd5ae92a553244e4ac30d2171a2d | ubuntu |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
          In the Linux kernel, the following vulnerability has been resolved:tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique()with nice analysis.Since commit ec94c2696f0b ( tcp/dccp: avoid one atomic operation fortimewait hashdance ), inet_twsk_hashdance() sets TIME-WAIT socket ssk_refcnt after putting it into ehash and releasing the bucket lock.Thus, there is a small race window where other threads could try toreuse the port during connect() and call sock_hold() in tcp_twsk_unique()for the TIME-WAIT socket with zero refcnt.If that happens, the refcnt taken by tcp_twsk_unique() is overwrittenand sock_put() will cause underflow, triggering a real use-after-freesomewhere else.To avoid the use-after-free, we need to use refcount_inc_not_zero() intcp_twsk_unique() and give up on reusing the port if it returns false.[0]:refcount_t: addition on 0; use-after-free.WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023RIP: 0010:refcount_warn_saturate+0xe5/0x110Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0FS:  00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0PKRU: 55555554Call Trace: <TASK> ? refcount_warn_saturate+0xe5/0x110 ? __warn+0x81/0x130 ? refcount_warn_saturate+0xe5/0x110 ? report_bug+0x171/0x1a0 ? refcount_warn_saturate+0xe5/0x110 ? handle_bug+0x3c/0x80 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? refcount_warn_saturate+0xe5/0x110 tcp_twsk_unique+0x186/0x190 __inet_check_established+0x176/0x2d0 __inet_hash_connect+0x74/0x7d0 ? __pfx___inet_check_established+0x10/0x10 tcp_v4_connect+0x278/0x530 __inet_stream_connect+0x10f/0x3d0 inet_stream_connect+0x3a/0x60 __sys_connect+0xa8/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0x83/0x170 entry_SYSCALL_64_after_hwframe+0x78/0x80RIP: 0033:0x7f62c11a885dCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002aRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885dRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0 </TASK>    
 openEuler评分：
  7.0
 Vector：CVSS：2.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):受影响
2.openEuler-22.03-LTS-SP1(5.10.0):受影响
3.openEuler-22.03-LTS-SP3(5.10.0):受影响
4.openEuler-22.03-LTS-SP4(5.10.0):受影响
5.openEuler-24.03-LTS(6.6.0):受影响
6.master(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.6.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-HotPatchSA-2024-1034

Hi openeuler-ci-bot, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: Kernel, and any of the maintainers.

@yangyingliang ,@jiaoff ,@guohaocs2c ,@hanjun-guo ,@woqidaideshi ,@newbeats ,@zhangyi089 ,@colyli ,@thundertown ,@htforge ,@chiqijun ,@lengchao ,@zhujianwei001 ,@kylin-mayukun ,@wangxiongfeng ,@wkfxxx ,@SuperSix173 ,@jentlestea ,@oskernel0719 ,@gasonchen 
**issue处理注意事项:** 
**1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;**
**2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;**
**3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否))不能省略,省略后cve-manager将无法正常解析填写内容.**
************************************************************************
影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响): 
1.master(6.1.0):
2.openEuler-20.03-LTS-SP1(4.19.90):
3.openEuler-20.03-LTS-SP4:
4.openEuler-22.03-LTS(5.10.0):
5.openEuler-22.03-LTS-Next(5.10.0):
6.openEuler-22.03-LTS-SP1(5.10.0):
7.openEuler-22.03-LTS-SP2(5.10.0):
8.openEuler-22.03-LTS-SP3:
9.openEuler-22.03-LTS-SP4:
10.openEuler-24.03-LTS(6.6.0):
11.openEuler-24.03-LTS-Next(6.6.0):

修复是否涉及abi变化(是/否)：
1.master(6.1.0):
2.openEuler-20.03-LTS-SP1(4.19.90):
3.openEuler-20.03-LTS-SP4:
4.openEuler-22.03-LTS(5.10.0):
5.openEuler-22.03-LTS-Next(5.10.0):
6.openEuler-22.03-LTS-SP1(5.10.0):
7.openEuler-22.03-LTS-SP2(5.10.0):
8.openEuler-22.03-LTS-SP3:
9.openEuler-22.03-LTS-SP4:
10.openEuler-24.03-LTS(6.6.0):
11.openEuler-24.03-LTS-Next(6.6.0):

-----------------------------------------------------------------------
issue处理具体操作请参考: 
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

参考网址	关联pr	状态	补丁链接
https://nvd.nist.gov/vuln/detail/CVE-2024-36904	None	None	https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34 https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3 https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8 https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9 https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446
https://www.opencve.io/cve/CVE-2024-36904
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-36904
https://security-tracker.debian.org/tracker/CVE-2024-36904	None	None	https://git.kernel.org/linus/f2db7230f73a80dbb179deab78f88a7947f0ab7e

说明：补丁链接仅供初步排查参考，实际可用性请人工再次确认，补丁下载验证可使用CVE补丁工具。
若补丁不准确，烦请在此issue下评论 '/report-patch 参考网址补丁链接1,补丁链接2' 反馈正确信息，便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

CVE-2024-36904

影响性分析说明：
In the Linux kernel, the following vulnerability has been resolved:

tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().

Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique()
with nice analysis.

Since commit ec94c2696f0b (&#34;tcp/dccp: avoid one atomic operation for
timewait hashdance&#34;), inet_twsk_hashdance() sets TIME-WAIT socket&#39;s
sk_refcnt after putting it into ehash and releasing the bucket lock.

Thus, there is a small race window where other threads could try to
reuse the port during connect() and call sock_hold() in tcp_twsk_unique()
for the TIME-WAIT socket with zero refcnt.

If that happens, the refcnt taken by tcp_twsk_unique() is overwritten
and sock_put() will cause underflow, triggering a real use-after-free
somewhere else.

To avoid the use-after-free, we need to use refcount_inc_not_zero() in
tcp_twsk_unique() and give up on reusing the port if it returns false.

[0]:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110
CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1
Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023
RIP: 0010:refcount_warn_saturate+0xe5/0x110
Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff &lt;0f&gt; 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8
RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027
RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0
RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0
R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84
R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0
FS:  00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0
PKRU: 55555554
Call Trace:
 &lt;TASK&gt;
 ? refcount_warn_saturate+0xe5/0x110
 ? __warn+0x81/0x130
 ? refcount_warn_saturate+0xe5/0x110
 ? report_bug+0x171/0x1a0
 ? refcount_warn_saturate+0xe5/0x110
 ? handle_bug+0x3c/0x80
 ? exc_invalid_op+0x17/0x70
 ? asm_exc_invalid_op+0x1a/0x20
 ? refcount_warn_saturate+0xe5/0x110
 tcp_twsk_unique+0x186/0x190
 __inet_check_established+0x176/0x2d0
 __inet_hash_connect+0x74/0x7d0
 ? __pfx___inet_check_established+0x10/0x10
 tcp_v4_connect+0x278/0x530
 __inet_stream_connect+0x10f/0x3d0
 inet_stream_connect+0x3a/0x60
 __sys_connect+0xa8/0xd0
 __x64_sys_connect+0x18/0x20
 do_syscall_64+0x83/0x170
 entry_SYSCALL_64_after_hwframe+0x78/0x80
RIP: 0033:0x7f62c11a885d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 &lt;48&gt; 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d
RDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003
RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0
R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0
 &lt;/TASK&gt;

The Linux kernel CVE team has assigned CVE-2024-36904 to this issue.

openEuler评分:(评分和向量)
5.5
CVSS: 3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N

受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP1:受影响
2.openEuler-20.03-LTS-SP4:受影响
3.openEuler-22.03-LTS:不受影响
4.openEuler-22.03-LTS-SP1:受影响
5.openEuler-22.03-LTS-SP2:不受影响
6.openEuler-22.03-LTS-SP3:受影响
7.openEuler-22.03-LTS-SP4:不受影响
8.master(6.1.0):不受影响
9.openEuler-22.03-LTS-Next:不受影响
10.openEuler-24.03-LTS:不受影响
11.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(4.19.90):否
2.openEuler-20.03-LTS-SP4:否
3.openEuler-22.03-LTS:否
4.openEuler-22.03-LTS-SP1:否
5.openEuler-22.03-LTS-SP2:否
6.openEuler-22.03-LTS-SP3:否
7.master(6.1.0):否
8.openEuler-22.03-LTS-Next:否
9.openEuler-24.03-LTS:否
10.openEuler-24.03-LTS-Next:否
11.openEuler-22.03-LTS-SP4:否