cve/published/2021/CVE-2021-47297.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47297: net: fix uninit-value in caif_seqpkt_sendmsg

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: fix uninit-value in caif_seqpkt_sendmsg

 When nr_segs equal to zero in iovec_from_user, the object
 msg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg
 which is defined in ___sys_sendmsg. So we cann't just judge
 msg->msg_iter.iov->base directlly. We can use nr_segs to judge
 msg in caif_seqpkt_sendmsg whether has data buffers.

 =====================================================
 BUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542
 Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1c9/0x220 lib/dump_stack.c:118
  kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
  __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
  caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542
  sock_sendmsg_nosec net/socket.c:652 [inline]
  sock_sendmsg net/socket.c:672 [inline]
  ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343
  ___sys_sendmsg net/socket.c:2397 [inline]
  __sys_sendmmsg+0x808/0xc90 net/socket.c:2480
  __compat_sys_sendmmsg net/compat.c:656 [inline]

 The Linux kernel CVE team has assigned CVE-2021-47297 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 4.4.277 with commit d9d646acad2c3590e189bb5d5c86ab8bd8a2dfc3
 	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 4.9.277 with commit 5c6d8e2f7187b8e45a18c27acb7a3885f03ee3db
 	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 4.14.241 with commit ffe31dd70b70a40cd6b21b78c1713a23e021843a
 	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 4.19.199 with commit 452c3ed7bf63721b07bc2238ed1261bb26027e85
 	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 5.4.136 with commit 9413c0abb57f70a953b1116318d6aa478013c35d
 	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 5.10.54 with commit 1582a02fecffcee306663035a295e28e1c4aaaff
 	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 5.13.6 with commit d4c7797ab1517515f0d08b3bc1c6b48883889c54
 	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 5.14 with commit 991e634360f2622a683b48dfe44fe6d9cb765a09

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47297
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/caif/caif_socket.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d9d646acad2c3590e189bb5d5c86ab8bd8a2dfc3
 	https://git.kernel.org/stable/c/5c6d8e2f7187b8e45a18c27acb7a3885f03ee3db
 	https://git.kernel.org/stable/c/ffe31dd70b70a40cd6b21b78c1713a23e021843a
 	https://git.kernel.org/stable/c/452c3ed7bf63721b07bc2238ed1261bb26027e85
 	https://git.kernel.org/stable/c/9413c0abb57f70a953b1116318d6aa478013c35d
 	https://git.kernel.org/stable/c/1582a02fecffcee306663035a295e28e1c4aaaff
 	https://git.kernel.org/stable/c/d4c7797ab1517515f0d08b3bc1c6b48883889c54
 	https://git.kernel.org/stable/c/991e634360f2622a683b48dfe44fe6d9cb765a09
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47297: net: fix uninit-value in caif_seqpkt_sendmsg

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: fix uninit-value in caif_seqpkt_sendmsg

	When nr_segs equal to zero in iovec_from_user, the object
	msg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg
	which is defined in ___sys_sendmsg. So we cann't just judge
	msg->msg_iter.iov->base directlly. We can use nr_segs to judge
	msg in caif_seqpkt_sendmsg whether has data buffers.

	=====================================================
	BUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542
	Call Trace:
	__dump_stack lib/dump_stack.c:77 [inline]
	dump_stack+0x1c9/0x220 lib/dump_stack.c:118
	kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
	__msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
	caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542
	sock_sendmsg_nosec net/socket.c:652 [inline]
	sock_sendmsg net/socket.c:672 [inline]
	____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343
	___sys_sendmsg net/socket.c:2397 [inline]
	__sys_sendmmsg+0x808/0xc90 net/socket.c:2480
	__compat_sys_sendmmsg net/compat.c:656 [inline]

	The Linux kernel CVE team has assigned CVE-2021-47297 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 4.4.277 with commit d9d646acad2c3590e189bb5d5c86ab8bd8a2dfc3
	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 4.9.277 with commit 5c6d8e2f7187b8e45a18c27acb7a3885f03ee3db
	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 4.14.241 with commit ffe31dd70b70a40cd6b21b78c1713a23e021843a
	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 4.19.199 with commit 452c3ed7bf63721b07bc2238ed1261bb26027e85
	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 5.4.136 with commit 9413c0abb57f70a953b1116318d6aa478013c35d
	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 5.10.54 with commit 1582a02fecffcee306663035a295e28e1c4aaaff
	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 5.13.6 with commit d4c7797ab1517515f0d08b3bc1c6b48883889c54
	Issue introduced in 2.6.35 with commit bece7b2398d073d11b2e352405a3ecd3a1e39c60 and fixed in 5.14 with commit 991e634360f2622a683b48dfe44fe6d9cb765a09

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47297
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/caif/caif_socket.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d9d646acad2c3590e189bb5d5c86ab8bd8a2dfc3
	https://git.kernel.org/stable/c/5c6d8e2f7187b8e45a18c27acb7a3885f03ee3db
	https://git.kernel.org/stable/c/ffe31dd70b70a40cd6b21b78c1713a23e021843a
	https://git.kernel.org/stable/c/452c3ed7bf63721b07bc2238ed1261bb26027e85
	https://git.kernel.org/stable/c/9413c0abb57f70a953b1116318d6aa478013c35d
	https://git.kernel.org/stable/c/1582a02fecffcee306663035a295e28e1c4aaaff
	https://git.kernel.org/stable/c/d4c7797ab1517515f0d08b3bc1c6b48883889c54
	https://git.kernel.org/stable/c/991e634360f2622a683b48dfe44fe6d9cb765a09