cve/published/2021/CVE-2021-47448.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47448: mptcp: fix possible stall on recvmsg()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mptcp: fix possible stall on recvmsg()

 recvmsg() can enter an infinite loop if the caller provides the
 MSG_WAITALL, the data present in the receive queue is not sufficient to
 fulfill the request, and no more data is received by the peer.

 When the above happens, mptcp_wait_data() will always return with
 no wait, as the MPTCP_DATA_READY flag checked by such function is
 set and never cleared in such code path.

 Leveraging the above syzbot was able to trigger an RCU stall:

 rcu: INFO: rcu_preempt self-detected stall on CPU
 rcu:    0-...!: (10499 ticks this GP) idle=0af/1/0x4000000000000000 softirq=10678/10678 fqs=1
         (t=10500 jiffies g=13089 q=109)
 rcu: rcu_preempt kthread starved for 10497 jiffies! g13089 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1
 rcu:    Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
 rcu: RCU grace-period kthread stack dump:
 task:rcu_preempt     state:R  running task     stack:28696 pid:   14 ppid:     2 flags:0x00004000
 Call Trace:
  context_switch kernel/sched/core.c:4955 [inline]
  __schedule+0x940/0x26f0 kernel/sched/core.c:6236
  schedule+0xd3/0x270 kernel/sched/core.c:6315
  schedule_timeout+0x14a/0x2a0 kernel/time/timer.c:1881
  rcu_gp_fqs_loop+0x186/0x810 kernel/rcu/tree.c:1955
  rcu_gp_kthread+0x1de/0x320 kernel/rcu/tree.c:2128
  kthread+0x405/0x4f0 kernel/kthread.c:327
  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 rcu: Stack dump where RCU GP kthread last ran:
 Sending NMI from CPU 0 to CPUs 1:
 NMI backtrace for cpu 1
 CPU: 1 PID: 8510 Comm: syz-executor827 Not tainted 5.15.0-rc2-next-20210920-syzkaller #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:84 [inline]
 RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
 RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
 RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
 RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
 RIP: 0010:kasan_check_range+0xc8/0x180 mm/kasan/generic.c:189
 Code: 38 00 74 ed 48 8d 50 08 eb 09 48 83 c0 01 48 39 d0 74 7a 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 <48> 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00
 RSP: 0018:ffffc9000cd676c8 EFLAGS: 00000283
 RAX: ffffed100e9a110e RBX: ffffed100e9a110f RCX: ffffffff88ea062a
 RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888074d08870
 RBP: ffffed100e9a110e R08: 0000000000000001 R09: ffff888074d08877
 R10: ffffed100e9a110e R11: 0000000000000000 R12: ffff888074d08000
 R13: ffff888074d08000 R14: ffff888074d08088 R15: ffff888074d08000
 FS:  0000555556d8e300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
 S:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000020000180 CR3: 0000000068909000 CR4: 00000000001506e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
  test_and_clear_bit include/asm-generic/bitops/instrumented-atomic.h:83 [inline]
  mptcp_release_cb+0x14a/0x210 net/mptcp/protocol.c:3016
  release_sock+0xb4/0x1b0 net/core/sock.c:3204
  mptcp_wait_data net/mptcp/protocol.c:1770 [inline]
  mptcp_recvmsg+0xfd1/0x27b0 net/mptcp/protocol.c:2080
  inet6_recvmsg+0x11b/0x5e0 net/ipv6/af_inet6.c:659
  sock_recvmsg_nosec net/socket.c:944 [inline]
  ____sys_recvmsg+0x527/0x600 net/socket.c:2626
  ___sys_recvmsg+0x127/0x200 net/socket.c:2670
  do_recvmmsg+0x24d/0x6d0 net/socket.c:2764
  __sys_recvmmsg net/socket.c:2843 [inline]
  __do_sys_recvmmsg net/socket.c:2866 [inline]
  __se_sys_recvmmsg net/socket.c:2859 [inline]
  __x64_sys_recvmmsg+0x20b/0x260 net/socket.c:2859
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7fc200d2dc39
 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
 RSP: 002b:00007ffc5758e5a8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc200d2dc39
 RDX: 0000000000000002 RSI: 00000000200017c0 RDI: 0000000000000003
 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000f0b5ff
 R10: 0000000000000100 R11: 0000000000000246 R12: 0000000000000003
 R13: 00007ffc5758e5d0 R14: 00007ffc5758e5c0 R15: 0000000000000003

 Fix the issue by replacing the MPTCP_DATA_READY bit with direct
 inspection of the msk receive queue.

 The Linux kernel CVE team has assigned CVE-2021-47448 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.6 with commit 7a6a6cbc3e592e339ad23e4e8ede9a3f6160bda8 and fixed in 5.14.14 with commit 1a4554e94f0deff9fc1dc5addf93fa579cc29711
 	Issue introduced in 5.6 with commit 7a6a6cbc3e592e339ad23e4e8ede9a3f6160bda8 and fixed in 5.15 with commit 612f71d7328c14369924384ad2170aae2a6abd92

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47448
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mptcp/protocol.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1a4554e94f0deff9fc1dc5addf93fa579cc29711
 	https://git.kernel.org/stable/c/612f71d7328c14369924384ad2170aae2a6abd92
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47448: mptcp: fix possible stall on recvmsg()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mptcp: fix possible stall on recvmsg()

	recvmsg() can enter an infinite loop if the caller provides the
	MSG_WAITALL, the data present in the receive queue is not sufficient to
	fulfill the request, and no more data is received by the peer.

	When the above happens, mptcp_wait_data() will always return with
	no wait, as the MPTCP_DATA_READY flag checked by such function is
	set and never cleared in such code path.

	Leveraging the above syzbot was able to trigger an RCU stall:

	rcu: INFO: rcu_preempt self-detected stall on CPU
	rcu: 0-...!: (10499 ticks this GP) idle=0af/1/0x4000000000000000 softirq=10678/10678 fqs=1
	(t=10500 jiffies g=13089 q=109)
	rcu: rcu_preempt kthread starved for 10497 jiffies! g13089 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1
	rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
	rcu: RCU grace-period kthread stack dump:
	task:rcu_preempt state:R running task stack:28696 pid: 14 ppid: 2 flags:0x00004000
	Call Trace:
	context_switch kernel/sched/core.c:4955 [inline]
	__schedule+0x940/0x26f0 kernel/sched/core.c:6236
	schedule+0xd3/0x270 kernel/sched/core.c:6315
	schedule_timeout+0x14a/0x2a0 kernel/time/timer.c:1881
	rcu_gp_fqs_loop+0x186/0x810 kernel/rcu/tree.c:1955
	rcu_gp_kthread+0x1de/0x320 kernel/rcu/tree.c:2128
	kthread+0x405/0x4f0 kernel/kthread.c:327
	ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
	rcu: Stack dump where RCU GP kthread last ran:
	Sending NMI from CPU 0 to CPUs 1:
	NMI backtrace for cpu 1
	CPU: 1 PID: 8510 Comm: syz-executor827 Not tainted 5.15.0-rc2-next-20210920-syzkaller #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:84 [inline]
	RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
	RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
	RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
	RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
	RIP: 0010:kasan_check_range+0xc8/0x180 mm/kasan/generic.c:189
	Code: 38 00 74 ed 48 8d 50 08 eb 09 48 83 c0 01 48 39 d0 74 7a 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 <48> 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00
	RSP: 0018:ffffc9000cd676c8 EFLAGS: 00000283
	RAX: ffffed100e9a110e RBX: ffffed100e9a110f RCX: ffffffff88ea062a
	RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888074d08870
	RBP: ffffed100e9a110e R08: 0000000000000001 R09: ffff888074d08877
	R10: ffffed100e9a110e R11: 0000000000000000 R12: ffff888074d08000
	R13: ffff888074d08000 R14: ffff888074d08088 R15: ffff888074d08000
	FS: 0000555556d8e300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
	S: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000020000180 CR3: 0000000068909000 CR4: 00000000001506e0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
	test_and_clear_bit include/asm-generic/bitops/instrumented-atomic.h:83 [inline]
	mptcp_release_cb+0x14a/0x210 net/mptcp/protocol.c:3016
	release_sock+0xb4/0x1b0 net/core/sock.c:3204
	mptcp_wait_data net/mptcp/protocol.c:1770 [inline]
	mptcp_recvmsg+0xfd1/0x27b0 net/mptcp/protocol.c:2080
	inet6_recvmsg+0x11b/0x5e0 net/ipv6/af_inet6.c:659
	sock_recvmsg_nosec net/socket.c:944 [inline]
	____sys_recvmsg+0x527/0x600 net/socket.c:2626
	___sys_recvmsg+0x127/0x200 net/socket.c:2670
	do_recvmmsg+0x24d/0x6d0 net/socket.c:2764
	__sys_recvmmsg net/socket.c:2843 [inline]
	__do_sys_recvmmsg net/socket.c:2866 [inline]
	__se_sys_recvmmsg net/socket.c:2859 [inline]
	__x64_sys_recvmmsg+0x20b/0x260 net/socket.c:2859
	do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
	entry_SYSCALL_64_after_hwframe+0x44/0xae
	RIP: 0033:0x7fc200d2dc39
	Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007ffc5758e5a8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
	RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc200d2dc39
	RDX: 0000000000000002 RSI: 00000000200017c0 RDI: 0000000000000003
	RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000f0b5ff
	R10: 0000000000000100 R11: 0000000000000246 R12: 0000000000000003
	R13: 00007ffc5758e5d0 R14: 00007ffc5758e5c0 R15: 0000000000000003

	Fix the issue by replacing the MPTCP_DATA_READY bit with direct
	inspection of the msk receive queue.

	The Linux kernel CVE team has assigned CVE-2021-47448 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.6 with commit 7a6a6cbc3e592e339ad23e4e8ede9a3f6160bda8 and fixed in 5.14.14 with commit 1a4554e94f0deff9fc1dc5addf93fa579cc29711
	Issue introduced in 5.6 with commit 7a6a6cbc3e592e339ad23e4e8ede9a3f6160bda8 and fixed in 5.15 with commit 612f71d7328c14369924384ad2170aae2a6abd92

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47448
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mptcp/protocol.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1a4554e94f0deff9fc1dc5addf93fa579cc29711
	https://git.kernel.org/stable/c/612f71d7328c14369924384ad2170aae2a6abd92