cve/published/2021/CVE-2021-47304.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47304: tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized

 This commit fixes a bug (found by syzkaller) that could cause spurious
 double-initializations for congestion control modules, which could cause
 memory leaks or other problems for congestion control modules (like CDG)
 that allocate memory in their init functions.

 The buggy scenario constructed by syzkaller was something like:

 (1) create a TCP socket
 (2) initiate a TFO connect via sendto()
 (3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),
     which calls:
        tcp_set_congestion_control() ->
          tcp_reinit_congestion_control() ->
            tcp_init_congestion_control()
 (4) receive ACK, connection is established, call tcp_init_transfer(),
     set icsk_ca_initialized=0 (without first calling cc->release()),
     call tcp_init_congestion_control() again.

 Note that in this sequence tcp_init_congestion_control() is called
 twice without a cc->release() call in between. Thus, for CC modules
 that allocate memory in their init() function, e.g, CDG, a memory leak
 may occur. The syzkaller tool managed to find a reproducer that
 triggered such a leak in CDG.

 The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init
 congestion control if not initialized already")
 introduced icsk_ca_initialized and set icsk_ca_initialized to 0 in
 tcp_init_transfer(), missing the possibility for a sequence like the
 one above, where a process could call setsockopt(TCP_CONGESTION) in
 state TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()),
 which would call tcp_init_congestion_control(). It did not intend to
 reset any initialization that the user had already explicitly made;
 it just missed the possibility of that particular sequence (which
 syzkaller managed to find).

 The Linux kernel CVE team has assigned CVE-2021-47304 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10 with commit 8919a9b31eb4fb4c0a93e5fb350a626924302aa6 and fixed in 5.10.53 with commit ad4ba3404931745a5977ad12db4f0c34080e52f7
 	Issue introduced in 5.10 with commit 8919a9b31eb4fb4c0a93e5fb350a626924302aa6 and fixed in 5.13.5 with commit fe77b85828ca9ddc42977b79de9e40d18545b4fe
 	Issue introduced in 5.10 with commit 8919a9b31eb4fb4c0a93e5fb350a626924302aa6 and fixed in 5.14 with commit be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47304
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/tcp_input.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7
 	https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe
 	https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47304: tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized

	This commit fixes a bug (found by syzkaller) that could cause spurious
	double-initializations for congestion control modules, which could cause
	memory leaks or other problems for congestion control modules (like CDG)
	that allocate memory in their init functions.

	The buggy scenario constructed by syzkaller was something like:

	(1) create a TCP socket
	(2) initiate a TFO connect via sendto()
	(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),
	which calls:
	tcp_set_congestion_control() ->
	tcp_reinit_congestion_control() ->
	tcp_init_congestion_control()
	(4) receive ACK, connection is established, call tcp_init_transfer(),
	set icsk_ca_initialized=0 (without first calling cc->release()),
	call tcp_init_congestion_control() again.

	Note that in this sequence tcp_init_congestion_control() is called
	twice without a cc->release() call in between. Thus, for CC modules
	that allocate memory in their init() function, e.g, CDG, a memory leak
	may occur. The syzkaller tool managed to find a reproducer that
	triggered such a leak in CDG.

	The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init
	congestion control if not initialized already")
	introduced icsk_ca_initialized and set icsk_ca_initialized to 0 in
	tcp_init_transfer(), missing the possibility for a sequence like the
	one above, where a process could call setsockopt(TCP_CONGESTION) in
	state TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()),
	which would call tcp_init_congestion_control(). It did not intend to
	reset any initialization that the user had already explicitly made;
	it just missed the possibility of that particular sequence (which
	syzkaller managed to find).

	The Linux kernel CVE team has assigned CVE-2021-47304 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10 with commit 8919a9b31eb4fb4c0a93e5fb350a626924302aa6 and fixed in 5.10.53 with commit ad4ba3404931745a5977ad12db4f0c34080e52f7
	Issue introduced in 5.10 with commit 8919a9b31eb4fb4c0a93e5fb350a626924302aa6 and fixed in 5.13.5 with commit fe77b85828ca9ddc42977b79de9e40d18545b4fe
	Issue introduced in 5.10 with commit 8919a9b31eb4fb4c0a93e5fb350a626924302aa6 and fixed in 5.14 with commit be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47304
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/tcp_input.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7
	https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe
	https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc