cve/published/2021/CVE-2021-47132.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47132: mptcp: fix sk_forward_memory corruption on retransmission

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mptcp: fix sk_forward_memory corruption on retransmission

 MPTCP sk_forward_memory handling is a bit special, as such field
 is protected by the msk socket spin_lock, instead of the plain
 socket lock.

 Currently we have a code path updating such field without handling
 the relevant lock:

 __mptcp_retrans() -> __mptcp_clean_una_wakeup()

 Several helpers in __mptcp_clean_una_wakeup() will update
 sk_forward_alloc, possibly causing such field corruption, as reported
 by Matthieu.

 Address the issue providing and using a new variant of blamed function
 which explicitly acquires the msk spin lock.

 The Linux kernel CVE team has assigned CVE-2021-47132 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.12 with commit 64b9cea7a0afe579dd2682f1f1c04f2e4e72fd25 and fixed in 5.12.10 with commit b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3
 	Issue introduced in 5.12 with commit 64b9cea7a0afe579dd2682f1f1c04f2e4e72fd25 and fixed in 5.13 with commit b5941f066b4ca331db225a976dae1d6ca8cf0ae3
 	Issue introduced in 5.11.4 with commit 96db8ffef07516a6d7414b6988f2a4298a839977

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47132
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mptcp/protocol.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3
 	https://git.kernel.org/stable/c/b5941f066b4ca331db225a976dae1d6ca8cf0ae3
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47132: mptcp: fix sk_forward_memory corruption on retransmission

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mptcp: fix sk_forward_memory corruption on retransmission

	MPTCP sk_forward_memory handling is a bit special, as such field
	is protected by the msk socket spin_lock, instead of the plain
	socket lock.

	Currently we have a code path updating such field without handling
	the relevant lock:

	__mptcp_retrans() -> __mptcp_clean_una_wakeup()

	Several helpers in __mptcp_clean_una_wakeup() will update
	sk_forward_alloc, possibly causing such field corruption, as reported
	by Matthieu.

	Address the issue providing and using a new variant of blamed function
	which explicitly acquires the msk spin lock.

	The Linux kernel CVE team has assigned CVE-2021-47132 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.12 with commit 64b9cea7a0afe579dd2682f1f1c04f2e4e72fd25 and fixed in 5.12.10 with commit b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3
	Issue introduced in 5.12 with commit 64b9cea7a0afe579dd2682f1f1c04f2e4e72fd25 and fixed in 5.13 with commit b5941f066b4ca331db225a976dae1d6ca8cf0ae3
	Issue introduced in 5.11.4 with commit 96db8ffef07516a6d7414b6988f2a4298a839977

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47132
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mptcp/protocol.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3
	https://git.kernel.org/stable/c/b5941f066b4ca331db225a976dae1d6ca8cf0ae3