| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2021-47370: mptcp: ensure tx skbs always have the MPTCP ext |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| mptcp: ensure tx skbs always have the MPTCP ext |
| |
| Due to signed/unsigned comparison, the expression: |
| |
| info->size_goal - skb->len > 0 |
| |
| evaluates to true when the size goal is smaller than the |
| skb size. That results in lack of tx cache refill, so that |
| the skb allocated by the core TCP code lacks the required |
| MPTCP skb extensions. |
| |
| Due to the above, syzbot is able to trigger the following WARN_ON(): |
| |
| WARNING: CPU: 1 PID: 810 at net/mptcp/protocol.c:1366 mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366 |
| Modules linked in: |
| CPU: 1 PID: 810 Comm: syz-executor.4 Not tainted 5.14.0-syzkaller #0 |
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 |
| RIP: 0010:mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366 |
| Code: ff 4c 8b 74 24 50 48 8b 5c 24 58 e9 0f fb ff ff e8 13 44 8b f8 4c 89 e7 45 31 ed e8 98 57 2e fe e9 81 f4 ff ff e8 fe 43 8b f8 <0f> 0b 41 bd ea ff ff ff e9 6f f4 ff ff 4c 89 e7 e8 b9 8e d2 f8 e9 |
| RSP: 0018:ffffc9000531f6a0 EFLAGS: 00010216 |
| RAX: 000000000000697f RBX: 0000000000000000 RCX: ffffc90012107000 |
| RDX: 0000000000040000 RSI: ffffffff88eac9e2 RDI: 0000000000000003 |
| RBP: ffff888078b15780 R08: 0000000000000000 R09: 0000000000000000 |
| R10: ffffffff88eac017 R11: 0000000000000000 R12: ffff88801de0a280 |
| R13: 0000000000006b58 R14: ffff888066278280 R15: ffff88803c2fe9c0 |
| FS: 00007fd9f866e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 |
| CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| CR2: 00007faebcb2f718 CR3: 00000000267cb000 CR4: 00000000001506e0 |
| DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 |
| DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 |
| Call Trace: |
| __mptcp_push_pending+0x1fb/0x6b0 net/mptcp/protocol.c:1547 |
| mptcp_release_cb+0xfe/0x210 net/mptcp/protocol.c:3003 |
| release_sock+0xb4/0x1b0 net/core/sock.c:3206 |
| sk_stream_wait_memory+0x604/0xed0 net/core/stream.c:145 |
| mptcp_sendmsg+0xc39/0x1bc0 net/mptcp/protocol.c:1749 |
| inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:643 |
| sock_sendmsg_nosec net/socket.c:704 [inline] |
| sock_sendmsg+0xcf/0x120 net/socket.c:724 |
| sock_write_iter+0x2a0/0x3e0 net/socket.c:1057 |
| call_write_iter include/linux/fs.h:2163 [inline] |
| new_sync_write+0x40b/0x640 fs/read_write.c:507 |
| vfs_write+0x7cf/0xae0 fs/read_write.c:594 |
| ksys_write+0x1ee/0x250 fs/read_write.c:647 |
| do_syscall_x64 arch/x86/entry/common.c:50 [inline] |
| do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 |
| entry_SYSCALL_64_after_hwframe+0x44/0xae |
| RIP: 0033:0x4665f9 |
| Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 |
| RSP: 002b:00007fd9f866e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 |
| RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665f9 |
| RDX: 00000000000e7b78 RSI: 0000000020000000 RDI: 0000000000000003 |
| RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 |
| R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038 |
| R13: 0000000000a9fb1f R14: 00007fd9f866e300 R15: 0000000000022000 |
| |
| Fix the issue rewriting the relevant expression to avoid |
| sign-related problems - note: size_goal is always >= 0. |
| |
| Additionally, ensure that the skb in the tx cache always carries |
| the relevant extension. |
| |
| The Linux kernel CVE team has assigned CVE-2021-47370 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.14.7 with commit e35820fb56415be6924bf552ec223ed5f347b4be and fixed in 5.14.9 with commit f8ff625a8082db8c2b58dcb5229b27928943b94b |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2021-47370 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/mptcp/protocol.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/f8ff625a8082db8c2b58dcb5229b27928943b94b |
| https://git.kernel.org/stable/c/977d293e23b48a1129830d7968605f61c4af71a0 |
