cve/published/2021/CVE-2021-47597.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47597: inet_diag: fix kernel-infoleak for UDP sockets

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 inet_diag: fix kernel-infoleak for UDP sockets

 KMSAN reported a kernel-infoleak [1], that can exploited
 by unpriv users.

 After analysis it turned out UDP was not initializing
 r->idiag_expires. Other users of inet_sk_diag_fill()
 might make the same mistake in the future, so fix this
 in inet_sk_diag_fill().

 [1]
 BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
 BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline]
 BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670
  instrument_copy_to_user include/linux/instrumented.h:121 [inline]
  copyout lib/iov_iter.c:156 [inline]
  _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670
  copy_to_iter include/linux/uio.h:155 [inline]
  simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
  __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425
  skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
  skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline]
  netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974
  sock_recvmsg_nosec net/socket.c:944 [inline]
  sock_recvmsg net/socket.c:962 [inline]
  sock_read_iter+0x5a9/0x630 net/socket.c:1035
  call_read_iter include/linux/fs.h:2156 [inline]
  new_sync_read fs/read_write.c:400 [inline]
  vfs_read+0x1631/0x1980 fs/read_write.c:481
  ksys_read+0x28c/0x520 fs/read_write.c:619
  __do_sys_read fs/read_write.c:629 [inline]
  __se_sys_read fs/read_write.c:627 [inline]
  __x64_sys_read+0xdb/0x120 fs/read_write.c:627
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 Uninit was created at:
  slab_post_alloc_hook mm/slab.h:524 [inline]
  slab_alloc_node mm/slub.c:3251 [inline]
  __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
  kmalloc_reserve net/core/skbuff.c:354 [inline]
  __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
  alloc_skb include/linux/skbuff.h:1126 [inline]
  netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245
  __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370
  netlink_dump_start include/linux/netlink.h:254 [inline]
  inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343
  sock_diag_rcv_msg+0x24a/0x620
  netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491
  sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276
  netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
  netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345
  netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916
  sock_sendmsg_nosec net/socket.c:704 [inline]
  sock_sendmsg net/socket.c:724 [inline]
  sock_write_iter+0x594/0x690 net/socket.c:1057
  do_iter_readv_writev+0xa7f/0xc70
  do_iter_write+0x52c/0x1500 fs/read_write.c:851
  vfs_writev fs/read_write.c:924 [inline]
  do_writev+0x63f/0xe30 fs/read_write.c:967
  __do_sys_writev fs/read_write.c:1040 [inline]
  __se_sys_writev fs/read_write.c:1037 [inline]
  __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 Bytes 68-71 of 312 are uninitialized
 Memory access of size 312 starts at ffff88812ab54000
 Data copied to user address 0000000020001440

 CPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

 The Linux kernel CVE team has assigned CVE-2021-47597 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.3 with commit 3c4d05c8056724aff3abc20650807dd828fded54 and fixed in 5.4.168 with commit 7b5596e531253ce84213d9daa7120b71c9d83198
 	Issue introduced in 3.3 with commit 3c4d05c8056724aff3abc20650807dd828fded54 and fixed in 5.10.88 with commit 3a4f6dba1eb98101abc012ef968a8b10dac1ce50
 	Issue introduced in 3.3 with commit 3c4d05c8056724aff3abc20650807dd828fded54 and fixed in 5.15.11 with commit e5d28205bf1de7082d904ed277ceb2db2879e302
 	Issue introduced in 3.3 with commit 3c4d05c8056724aff3abc20650807dd828fded54 and fixed in 5.16 with commit 71ddeac8cd1d217744a0e060ff520e147c9328d1

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47597
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/inet_diag.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7b5596e531253ce84213d9daa7120b71c9d83198
 	https://git.kernel.org/stable/c/3a4f6dba1eb98101abc012ef968a8b10dac1ce50
 	https://git.kernel.org/stable/c/e5d28205bf1de7082d904ed277ceb2db2879e302
 	https://git.kernel.org/stable/c/71ddeac8cd1d217744a0e060ff520e147c9328d1
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47597: inet_diag: fix kernel-infoleak for UDP sockets

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	inet_diag: fix kernel-infoleak for UDP sockets

	KMSAN reported a kernel-infoleak [1], that can exploited
	by unpriv users.

	After analysis it turned out UDP was not initializing
	r->idiag_expires. Other users of inet_sk_diag_fill()
	might make the same mistake in the future, so fix this
	in inet_sk_diag_fill().

	[1]
	BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
	BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline]
	BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670
	instrument_copy_to_user include/linux/instrumented.h:121 [inline]
	copyout lib/iov_iter.c:156 [inline]
	_copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670
	copy_to_iter include/linux/uio.h:155 [inline]
	simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
	__skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425
	skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
	skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline]
	netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974
	sock_recvmsg_nosec net/socket.c:944 [inline]
	sock_recvmsg net/socket.c:962 [inline]
	sock_read_iter+0x5a9/0x630 net/socket.c:1035
	call_read_iter include/linux/fs.h:2156 [inline]
	new_sync_read fs/read_write.c:400 [inline]
	vfs_read+0x1631/0x1980 fs/read_write.c:481
	ksys_read+0x28c/0x520 fs/read_write.c:619
	__do_sys_read fs/read_write.c:629 [inline]
	__se_sys_read fs/read_write.c:627 [inline]
	__x64_sys_read+0xdb/0x120 fs/read_write.c:627
	do_syscall_x64 arch/x86/entry/common.c:51 [inline]
	do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	Uninit was created at:
	slab_post_alloc_hook mm/slab.h:524 [inline]
	slab_alloc_node mm/slub.c:3251 [inline]
	__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
	kmalloc_reserve net/core/skbuff.c:354 [inline]
	__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
	alloc_skb include/linux/skbuff.h:1126 [inline]
	netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245
	__netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370
	netlink_dump_start include/linux/netlink.h:254 [inline]
	inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343
	sock_diag_rcv_msg+0x24a/0x620
	netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491
	sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276
	netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
	netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345
	netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916
	sock_sendmsg_nosec net/socket.c:704 [inline]
	sock_sendmsg net/socket.c:724 [inline]
	sock_write_iter+0x594/0x690 net/socket.c:1057
	do_iter_readv_writev+0xa7f/0xc70
	do_iter_write+0x52c/0x1500 fs/read_write.c:851
	vfs_writev fs/read_write.c:924 [inline]
	do_writev+0x63f/0xe30 fs/read_write.c:967
	__do_sys_writev fs/read_write.c:1040 [inline]
	__se_sys_writev fs/read_write.c:1037 [inline]
	__x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
	do_syscall_x64 arch/x86/entry/common.c:51 [inline]
	do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	Bytes 68-71 of 312 are uninitialized
	Memory access of size 312 starts at ffff88812ab54000
	Data copied to user address 0000000020001440

	CPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

	The Linux kernel CVE team has assigned CVE-2021-47597 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.3 with commit 3c4d05c8056724aff3abc20650807dd828fded54 and fixed in 5.4.168 with commit 7b5596e531253ce84213d9daa7120b71c9d83198
	Issue introduced in 3.3 with commit 3c4d05c8056724aff3abc20650807dd828fded54 and fixed in 5.10.88 with commit 3a4f6dba1eb98101abc012ef968a8b10dac1ce50
	Issue introduced in 3.3 with commit 3c4d05c8056724aff3abc20650807dd828fded54 and fixed in 5.15.11 with commit e5d28205bf1de7082d904ed277ceb2db2879e302
	Issue introduced in 3.3 with commit 3c4d05c8056724aff3abc20650807dd828fded54 and fixed in 5.16 with commit 71ddeac8cd1d217744a0e060ff520e147c9328d1

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47597
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/inet_diag.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7b5596e531253ce84213d9daa7120b71c9d83198
	https://git.kernel.org/stable/c/3a4f6dba1eb98101abc012ef968a8b10dac1ce50
	https://git.kernel.org/stable/c/e5d28205bf1de7082d904ed277ceb2db2879e302
	https://git.kernel.org/stable/c/71ddeac8cd1d217744a0e060ff520e147c9328d1