cve/published/2024/CVE-2024-37356.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-37356: tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

 In dctcp_update_alpha(), we use a module parameter dctcp_shift_g
 as follows:

   alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);
   ...
   delivered_ce <<= (10 - dctcp_shift_g);

 It seems syzkaller started fuzzing module parameters and triggered
 shift-out-of-bounds [0] by setting 100 to dctcp_shift_g:

   memcpy((void*)0x20000080,
          "/sys/module/tcp_dctcp/parameters/dctcp_shift_g\000", 47);
   res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,
                 /*flags=*/2ul, /*mode=*/0ul);
   memcpy((void*)0x20000000, "100\000", 4);
   syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);

 Let's limit the max value of dctcp_shift_g by param_set_uint_minmax().

 With this patch:

   # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g
   # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g
   10
   # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g
   -bash: echo: write error: Invalid argument

 [0]:
 UBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12
 shift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')
 CPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
 1.13.0-1ubuntu1.1 04/01/2014
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114
  ubsan_epilogue lib/ubsan.c:231 [inline]
  __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468
  dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143
  tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]
  tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948
  tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711
  tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937
  sk_backlog_rcv include/net/sock.h:1106 [inline]
  __release_sock+0x20f/0x350 net/core/sock.c:2983
  release_sock+0x61/0x1f0 net/core/sock.c:3549
  mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907
  mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976
  __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072
  mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127
  inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437
  __sock_release net/socket.c:659 [inline]
  sock_close+0xc0/0x240 net/socket.c:1421
  __fput+0x41b/0x890 fs/file_table.c:422
  task_work_run+0x23b/0x300 kernel/task_work.c:180
  exit_task_work include/linux/task_work.h:38 [inline]
  do_exit+0x9c8/0x2540 kernel/exit.c:878
  do_group_exit+0x201/0x2b0 kernel/exit.c:1027
  __do_sys_exit_group kernel/exit.c:1038 [inline]
  __se_sys_exit_group kernel/exit.c:1036 [inline]
  __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x67/0x6f
 RIP: 0033:0x7f6c2b5005b6
 Code: Unable to access opcode bytes at 0x7f6c2b50058c.
 RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
 RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6
 RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
 RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0
 R10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0
 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
  </TASK>

 The Linux kernel CVE team has assigned CVE-2024-37356 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 4.19.316 with commit 06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6
 	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 5.4.278 with commit 6aacaa80d962f4916ccf90e2080306cec6c90fcf
 	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 5.10.219 with commit e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31
 	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 5.15.161 with commit 8602150286a2a860a1dc55cbd04f99316f19b40a
 	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 6.1.93 with commit e65d13ec00a738fa7661925fd5929ab3c765d4be
 	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 6.6.33 with commit 02261d3f9dc7d1d7be7d778f839e3404ab99034c
 	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 6.9.4 with commit 237340dee373b97833a491d2e99fcf1d4a9adafd
 	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 6.10 with commit 3ebc46ca8675de6378e3f8f40768e180bb8afa66

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-37356
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/tcp_dctcp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6
 	https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf
 	https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31
 	https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a
 	https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be
 	https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c
 	https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd
 	https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-37356: tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

	In dctcp_update_alpha(), we use a module parameter dctcp_shift_g
	as follows:

	alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);
	...
	delivered_ce <<= (10 - dctcp_shift_g);

	It seems syzkaller started fuzzing module parameters and triggered
	shift-out-of-bounds [0] by setting 100 to dctcp_shift_g:

	memcpy((void*)0x20000080,
	"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\000", 47);
	res = syscall(__NR_openat, /fd=/0xffffffffffffff9cul, /file=/0x20000080ul,
	/flags=/2ul, /mode=/0ul);
	memcpy((void*)0x20000000, "100\000", 4);
	syscall(__NR_write, /fd=/r[0], /val=/0x20000000ul, /len=/4ul);

	Let's limit the max value of dctcp_shift_g by param_set_uint_minmax().

	With this patch:

	# echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g
	# cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g
	10
	# echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g
	-bash: echo: write error: Invalid argument

	[0]:
	UBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12
	shift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')
	CPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
	1.13.0-1ubuntu1.1 04/01/2014
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114
	ubsan_epilogue lib/ubsan.c:231 [inline]
	__ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468
	dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143
	tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]
	tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948
	tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711
	tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937
	sk_backlog_rcv include/net/sock.h:1106 [inline]
	__release_sock+0x20f/0x350 net/core/sock.c:2983
	release_sock+0x61/0x1f0 net/core/sock.c:3549
	mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907
	mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976
	__mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072
	mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127
	inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437
	__sock_release net/socket.c:659 [inline]
	sock_close+0xc0/0x240 net/socket.c:1421
	__fput+0x41b/0x890 fs/file_table.c:422
	task_work_run+0x23b/0x300 kernel/task_work.c:180
	exit_task_work include/linux/task_work.h:38 [inline]
	do_exit+0x9c8/0x2540 kernel/exit.c:878
	do_group_exit+0x201/0x2b0 kernel/exit.c:1027
	__do_sys_exit_group kernel/exit.c:1038 [inline]
	__se_sys_exit_group kernel/exit.c:1036 [inline]
	__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x67/0x6f
	RIP: 0033:0x7f6c2b5005b6
	Code: Unable to access opcode bytes at 0x7f6c2b50058c.
	RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
	RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6
	RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
	RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0
	R10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0
	R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-37356 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 4.19.316 with commit 06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6
	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 5.4.278 with commit 6aacaa80d962f4916ccf90e2080306cec6c90fcf
	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 5.10.219 with commit e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31
	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 5.15.161 with commit 8602150286a2a860a1dc55cbd04f99316f19b40a
	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 6.1.93 with commit e65d13ec00a738fa7661925fd5929ab3c765d4be
	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 6.6.33 with commit 02261d3f9dc7d1d7be7d778f839e3404ab99034c
	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 6.9.4 with commit 237340dee373b97833a491d2e99fcf1d4a9adafd
	Issue introduced in 3.18 with commit e3118e8359bb7c59555aca60c725106e6d78c5ce and fixed in 6.10 with commit 3ebc46ca8675de6378e3f8f40768e180bb8afa66

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-37356
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/tcp_dctcp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6
	https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf
	https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31
	https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a
	https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be
	https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c
	https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd
	https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66