cve/published/2024/CVE-2024-35894.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35894: mptcp: prevent BPF accessing lowat from a subflow socket.

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mptcp: prevent BPF accessing lowat from a subflow socket.

 Alexei reported the following splat:

  WARNING: CPU: 32 PID: 3276 at net/mptcp/subflow.c:1430 subflow_data_ready+0x147/0x1c0
  Modules linked in: dummy bpf_testmod(O) [last unloaded: bpf_test_no_cfi(O)]
  CPU: 32 PID: 3276 Comm: test_progs Tainted: GO       6.8.0-12873-g2c43c33bfd23
  Call Trace:
   <TASK>
   mptcp_set_rcvlowat+0x79/0x1d0
   sk_setsockopt+0x6c0/0x1540
   __bpf_setsockopt+0x6f/0x90
   bpf_sock_ops_setsockopt+0x3c/0x90
   bpf_prog_509ce5db2c7f9981_bpf_test_sockopt_int+0xb4/0x11b
   bpf_prog_dce07e362d941d2b_bpf_test_socket_sockopt+0x12b/0x132
   bpf_prog_348c9b5faaf10092_skops_sockopt+0x954/0xe86
   __cgroup_bpf_run_filter_sock_ops+0xbc/0x250
   tcp_connect+0x879/0x1160
   tcp_v6_connect+0x50c/0x870
   mptcp_connect+0x129/0x280
   __inet_stream_connect+0xce/0x370
   inet_stream_connect+0x36/0x50
   bpf_trampoline_6442491565+0x49/0xef
   inet_stream_connect+0x5/0x50
   __sys_connect+0x63/0x90
   __x64_sys_connect+0x14/0x20

 The root cause of the issue is that bpf allows accessing mptcp-level
 proto_ops from a tcp subflow scope.

 Fix the issue detecting the problematic call and preventing any action.

 The Linux kernel CVE team has assigned CVE-2024-35894 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.7 with commit 5684ab1a0effbfeb706f47d85785f653005b97b1 and fixed in 6.8.5 with commit 3ffb1ab698376f09cc33101c07c1be229389fe29
 	Issue introduced in 6.7 with commit 5684ab1a0effbfeb706f47d85785f653005b97b1 and fixed in 6.9 with commit fcf4692fa39e86a590c14a4af2de704e1d20a3b5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35894
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mptcp/sockopt.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ee3c845787b621cfe82c2e52c513024a9d7a78f5
 	https://git.kernel.org/stable/c/3ffb1ab698376f09cc33101c07c1be229389fe29
 	https://git.kernel.org/stable/c/fcf4692fa39e86a590c14a4af2de704e1d20a3b5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35894: mptcp: prevent BPF accessing lowat from a subflow socket.

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mptcp: prevent BPF accessing lowat from a subflow socket.

	Alexei reported the following splat:

	WARNING: CPU: 32 PID: 3276 at net/mptcp/subflow.c:1430 subflow_data_ready+0x147/0x1c0
	Modules linked in: dummy bpf_testmod(O) [last unloaded: bpf_test_no_cfi(O)]
	CPU: 32 PID: 3276 Comm: test_progs Tainted: GO 6.8.0-12873-g2c43c33bfd23
	Call Trace:
	<TASK>
	mptcp_set_rcvlowat+0x79/0x1d0
	sk_setsockopt+0x6c0/0x1540
	__bpf_setsockopt+0x6f/0x90
	bpf_sock_ops_setsockopt+0x3c/0x90
	bpf_prog_509ce5db2c7f9981_bpf_test_sockopt_int+0xb4/0x11b
	bpf_prog_dce07e362d941d2b_bpf_test_socket_sockopt+0x12b/0x132
	bpf_prog_348c9b5faaf10092_skops_sockopt+0x954/0xe86
	__cgroup_bpf_run_filter_sock_ops+0xbc/0x250
	tcp_connect+0x879/0x1160
	tcp_v6_connect+0x50c/0x870
	mptcp_connect+0x129/0x280
	__inet_stream_connect+0xce/0x370
	inet_stream_connect+0x36/0x50
	bpf_trampoline_6442491565+0x49/0xef
	inet_stream_connect+0x5/0x50
	__sys_connect+0x63/0x90
	__x64_sys_connect+0x14/0x20

	The root cause of the issue is that bpf allows accessing mptcp-level
	proto_ops from a tcp subflow scope.

	Fix the issue detecting the problematic call and preventing any action.

	The Linux kernel CVE team has assigned CVE-2024-35894 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.7 with commit 5684ab1a0effbfeb706f47d85785f653005b97b1 and fixed in 6.8.5 with commit 3ffb1ab698376f09cc33101c07c1be229389fe29
	Issue introduced in 6.7 with commit 5684ab1a0effbfeb706f47d85785f653005b97b1 and fixed in 6.9 with commit fcf4692fa39e86a590c14a4af2de704e1d20a3b5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35894
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mptcp/sockopt.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ee3c845787b621cfe82c2e52c513024a9d7a78f5
	https://git.kernel.org/stable/c/3ffb1ab698376f09cc33101c07c1be229389fe29
	https://git.kernel.org/stable/c/fcf4692fa39e86a590c14a4af2de704e1d20a3b5