cve/published/2021/CVE-2021-47544.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47544: tcp: fix page frag corruption on page fault

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tcp: fix page frag corruption on page fault

 Steffen reported a TCP stream corruption for HTTP requests
 served by the apache web-server using a cifs mount-point
 and memory mapping the relevant file.

 The root cause is quite similar to the one addressed by
 commit 20eb4f29b602 ("net: fix sk_page_frag() recursion from
 memory reclaim"). Here the nested access to the task page frag
 is caused by a page fault on the (mmapped) user-space memory
 buffer coming from the cifs file.

 The page fault handler performs an smb transaction on a different
 socket, inside the same process context. Since sk->sk_allaction
 for such socket does not prevent the usage for the task_frag,
 the nested allocation modify "under the hood" the page frag
 in use by the outer sendmsg call, corrupting the stream.

 The overall relevant stack trace looks like the following:

 httpd 78268 [001] 3461630.850950:      probe:tcp_sendmsg_locked:
         ffffffff91461d91 tcp_sendmsg_locked+0x1
         ffffffff91462b57 tcp_sendmsg+0x27
         ffffffff9139814e sock_sendmsg+0x3e
         ffffffffc06dfe1d smb_send_kvec+0x28
         [...]
         ffffffffc06cfaf8 cifs_readpages+0x213
         ffffffff90e83c4b read_pages+0x6b
         ffffffff90e83f31 __do_page_cache_readahead+0x1c1
         ffffffff90e79e98 filemap_fault+0x788
         ffffffff90eb0458 __do_fault+0x38
         ffffffff90eb5280 do_fault+0x1a0
         ffffffff90eb7c84 __handle_mm_fault+0x4d4
         ffffffff90eb8093 handle_mm_fault+0xc3
         ffffffff90c74f6d __do_page_fault+0x1ed
         ffffffff90c75277 do_page_fault+0x37
         ffffffff9160111e page_fault+0x1e
         ffffffff9109e7b5 copyin+0x25
         ffffffff9109eb40 _copy_from_iter_full+0xe0
         ffffffff91462370 tcp_sendmsg_locked+0x5e0
         ffffffff91462370 tcp_sendmsg_locked+0x5e0
         ffffffff91462b57 tcp_sendmsg+0x27
         ffffffff9139815c sock_sendmsg+0x4c
         ffffffff913981f7 sock_write_iter+0x97
         ffffffff90f2cc56 do_iter_readv_writev+0x156
         ffffffff90f2dff0 do_iter_write+0x80
         ffffffff90f2e1c3 vfs_writev+0xa3
         ffffffff90f2e27c do_writev+0x5c
         ffffffff90c042bb do_syscall_64+0x5b
         ffffffff916000ad entry_SYSCALL_64_after_hwframe+0x65

 The cifs filesystem rightfully sets sk_allocations to GFP_NOFS,
 we can avoid the nesting using the sk page frag for allocation
 lacking the __GFP_FS flag. Do not define an additional mm-helper
 for that, as this is strictly tied to the sk page frag usage.

 v1 -> v2:
  - use a stricted sk_page_frag() check instead of reordering the
    code (Eric)

 The Linux kernel CVE team has assigned CVE-2021-47544 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.7 with commit 5640f7685831e088fe6c2e1f863a6805962f8e81 and fixed in 5.10.84 with commit c6f340a331fb72e5ac23a083de9c780e132ca3ae
 	Issue introduced in 3.7 with commit 5640f7685831e088fe6c2e1f863a6805962f8e81 and fixed in 5.15.7 with commit 5a9afcd827cafe14a95c9fcbded2c2d104f18dfc
 	Issue introduced in 3.7 with commit 5640f7685831e088fe6c2e1f863a6805962f8e81 and fixed in 5.16 with commit dacb5d8875cc6cd3a553363b4d6f06760fcbe70c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47544
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/net/sock.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c6f340a331fb72e5ac23a083de9c780e132ca3ae
 	https://git.kernel.org/stable/c/5a9afcd827cafe14a95c9fcbded2c2d104f18dfc
 	https://git.kernel.org/stable/c/dacb5d8875cc6cd3a553363b4d6f06760fcbe70c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47544: tcp: fix page frag corruption on page fault

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tcp: fix page frag corruption on page fault

	Steffen reported a TCP stream corruption for HTTP requests
	served by the apache web-server using a cifs mount-point
	and memory mapping the relevant file.

	The root cause is quite similar to the one addressed by
	commit 20eb4f29b602 ("net: fix sk_page_frag() recursion from
	memory reclaim"). Here the nested access to the task page frag
	is caused by a page fault on the (mmapped) user-space memory
	buffer coming from the cifs file.

	The page fault handler performs an smb transaction on a different
	socket, inside the same process context. Since sk->sk_allaction
	for such socket does not prevent the usage for the task_frag,
	the nested allocation modify "under the hood" the page frag
	in use by the outer sendmsg call, corrupting the stream.

	The overall relevant stack trace looks like the following:

	httpd 78268 [001] 3461630.850950: probe:tcp_sendmsg_locked:
	ffffffff91461d91 tcp_sendmsg_locked+0x1
	ffffffff91462b57 tcp_sendmsg+0x27
	ffffffff9139814e sock_sendmsg+0x3e
	ffffffffc06dfe1d smb_send_kvec+0x28
	[...]
	ffffffffc06cfaf8 cifs_readpages+0x213
	ffffffff90e83c4b read_pages+0x6b
	ffffffff90e83f31 __do_page_cache_readahead+0x1c1
	ffffffff90e79e98 filemap_fault+0x788
	ffffffff90eb0458 __do_fault+0x38
	ffffffff90eb5280 do_fault+0x1a0
	ffffffff90eb7c84 __handle_mm_fault+0x4d4
	ffffffff90eb8093 handle_mm_fault+0xc3
	ffffffff90c74f6d __do_page_fault+0x1ed
	ffffffff90c75277 do_page_fault+0x37
	ffffffff9160111e page_fault+0x1e
	ffffffff9109e7b5 copyin+0x25
	ffffffff9109eb40 _copy_from_iter_full+0xe0
	ffffffff91462370 tcp_sendmsg_locked+0x5e0
	ffffffff91462370 tcp_sendmsg_locked+0x5e0
	ffffffff91462b57 tcp_sendmsg+0x27
	ffffffff9139815c sock_sendmsg+0x4c
	ffffffff913981f7 sock_write_iter+0x97
	ffffffff90f2cc56 do_iter_readv_writev+0x156
	ffffffff90f2dff0 do_iter_write+0x80
	ffffffff90f2e1c3 vfs_writev+0xa3
	ffffffff90f2e27c do_writev+0x5c
	ffffffff90c042bb do_syscall_64+0x5b
	ffffffff916000ad entry_SYSCALL_64_after_hwframe+0x65

	The cifs filesystem rightfully sets sk_allocations to GFP_NOFS,
	we can avoid the nesting using the sk page frag for allocation
	lacking the __GFP_FS flag. Do not define an additional mm-helper
	for that, as this is strictly tied to the sk page frag usage.

	v1 -> v2:
	- use a stricted sk_page_frag() check instead of reordering the
	code (Eric)

	The Linux kernel CVE team has assigned CVE-2021-47544 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.7 with commit 5640f7685831e088fe6c2e1f863a6805962f8e81 and fixed in 5.10.84 with commit c6f340a331fb72e5ac23a083de9c780e132ca3ae
	Issue introduced in 3.7 with commit 5640f7685831e088fe6c2e1f863a6805962f8e81 and fixed in 5.15.7 with commit 5a9afcd827cafe14a95c9fcbded2c2d104f18dfc
	Issue introduced in 3.7 with commit 5640f7685831e088fe6c2e1f863a6805962f8e81 and fixed in 5.16 with commit dacb5d8875cc6cd3a553363b4d6f06760fcbe70c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47544
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/net/sock.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c6f340a331fb72e5ac23a083de9c780e132ca3ae
	https://git.kernel.org/stable/c/5a9afcd827cafe14a95c9fcbded2c2d104f18dfc
	https://git.kernel.org/stable/c/dacb5d8875cc6cd3a553363b4d6f06760fcbe70c