cve/published/2024/CVE-2024-26640.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26640: tcp: add sanity checks to rx zerocopy

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tcp: add sanity checks to rx zerocopy

 TCP rx zerocopy intent is to map pages initially allocated
 from NIC drivers, not pages owned by a fs.

 This patch adds to can_map_frag() these additional checks:

 - Page must not be a compound one.
 - page->mapping must be NULL.

 This fixes the panic reported by ZhangPeng.

 syzbot was able to loopback packets built with sendfile(),
 mapping pages owned by an ext4 file to TCP rx zerocopy.

 r3 = socket$inet_tcp(0x2, 0x1, 0x0)
 mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)
 r4 = socket$inet_tcp(0x2, 0x1, 0x0)
 bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)
 connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)
 r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
     0x181e42, 0x0)
 fallocate(r5, 0x0, 0x0, 0x85b8)
 sendfile(r4, r5, 0x0, 0x8ba0)
 getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,
     &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,
     0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)
 r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
     0x181e42, 0x0)

 The Linux kernel CVE team has assigned CVE-2024-26640 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.18 with commit 93ab6cc69162775201587cc9da00d5016dc890e2 and fixed in 5.10.210 with commit f48bf9a83b1666d934247cb58a9887d7b3127b6f
 	Issue introduced in 4.18 with commit 93ab6cc69162775201587cc9da00d5016dc890e2 and fixed in 5.15.149 with commit 718f446e60316bf606946f7f42367d691d21541e
 	Issue introduced in 4.18 with commit 93ab6cc69162775201587cc9da00d5016dc890e2 and fixed in 6.1.77 with commit b383d4ea272fe5795877506dcce5aad1f6330e5e
 	Issue introduced in 4.18 with commit 93ab6cc69162775201587cc9da00d5016dc890e2 and fixed in 6.6.16 with commit d15cc0f66884ef2bed28c7ccbb11c102aa3a0760
 	Issue introduced in 4.18 with commit 93ab6cc69162775201587cc9da00d5016dc890e2 and fixed in 6.7.4 with commit 1b8adcc0e2c584fec778add7777fe28e20781e60
 	Issue introduced in 4.18 with commit 93ab6cc69162775201587cc9da00d5016dc890e2 and fixed in 6.8 with commit 577e4432f3ac810049cb7e6b71f4d96ec7c6e894

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26640
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/tcp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f48bf9a83b1666d934247cb58a9887d7b3127b6f
 	https://git.kernel.org/stable/c/718f446e60316bf606946f7f42367d691d21541e
 	https://git.kernel.org/stable/c/b383d4ea272fe5795877506dcce5aad1f6330e5e
 	https://git.kernel.org/stable/c/d15cc0f66884ef2bed28c7ccbb11c102aa3a0760
 	https://git.kernel.org/stable/c/1b8adcc0e2c584fec778add7777fe28e20781e60
 	https://git.kernel.org/stable/c/577e4432f3ac810049cb7e6b71f4d96ec7c6e894
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26640: tcp: add sanity checks to rx zerocopy

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tcp: add sanity checks to rx zerocopy

	TCP rx zerocopy intent is to map pages initially allocated
	from NIC drivers, not pages owned by a fs.

	This patch adds to can_map_frag() these additional checks:

	- Page must not be a compound one.
	- page->mapping must be NULL.

	This fixes the panic reported by ZhangPeng.

	syzbot was able to loopback packets built with sendfile(),
	mapping pages owned by an ext4 file to TCP rx zerocopy.

	r3 = socket$inet_tcp(0x2, 0x1, 0x0)
	mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)
	r4 = socket$inet_tcp(0x2, 0x1, 0x0)
	bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)
	connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)
	r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
	0x181e42, 0x0)
	fallocate(r5, 0x0, 0x0, 0x85b8)
	sendfile(r4, r5, 0x0, 0x8ba0)
	getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,
	&(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,
	0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)
	r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
	0x181e42, 0x0)

	The Linux kernel CVE team has assigned CVE-2024-26640 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.18 with commit 93ab6cc69162775201587cc9da00d5016dc890e2 and fixed in 5.10.210 with commit f48bf9a83b1666d934247cb58a9887d7b3127b6f
	Issue introduced in 4.18 with commit 93ab6cc69162775201587cc9da00d5016dc890e2 and fixed in 5.15.149 with commit 718f446e60316bf606946f7f42367d691d21541e
	Issue introduced in 4.18 with commit 93ab6cc69162775201587cc9da00d5016dc890e2 and fixed in 6.1.77 with commit b383d4ea272fe5795877506dcce5aad1f6330e5e
	Issue introduced in 4.18 with commit 93ab6cc69162775201587cc9da00d5016dc890e2 and fixed in 6.6.16 with commit d15cc0f66884ef2bed28c7ccbb11c102aa3a0760
	Issue introduced in 4.18 with commit 93ab6cc69162775201587cc9da00d5016dc890e2 and fixed in 6.7.4 with commit 1b8adcc0e2c584fec778add7777fe28e20781e60
	Issue introduced in 4.18 with commit 93ab6cc69162775201587cc9da00d5016dc890e2 and fixed in 6.8 with commit 577e4432f3ac810049cb7e6b71f4d96ec7c6e894

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26640
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/tcp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f48bf9a83b1666d934247cb58a9887d7b3127b6f
	https://git.kernel.org/stable/c/718f446e60316bf606946f7f42367d691d21541e
	https://git.kernel.org/stable/c/b383d4ea272fe5795877506dcce5aad1f6330e5e
	https://git.kernel.org/stable/c/d15cc0f66884ef2bed28c7ccbb11c102aa3a0760
	https://git.kernel.org/stable/c/1b8adcc0e2c584fec778add7777fe28e20781e60
	https://git.kernel.org/stable/c/577e4432f3ac810049cb7e6b71f4d96ec7c6e894