| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-41048: skmsg: Skip zero length skb in sk_msg_recvmsg |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| skmsg: Skip zero length skb in sk_msg_recvmsg |
| |
| When running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch |
| platform, the following kernel panic occurs: |
| |
| [...] |
| Oops[#1]: |
| CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18 |
| Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018 |
| ... ... |
| ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560 |
| ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0 |
| CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) |
| PRMD: 0000000c (PPLV0 +PIE +PWE) |
| EUEN: 00000007 (+FPE +SXE +ASXE -BTE) |
| ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) |
| ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) |
| BADV: 0000000000000040 |
| PRID: 0014c011 (Loongson-64bit, Loongson-3C5000) |
| Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack |
| Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...) |
| Stack : ... |
| Call Trace: |
| [<9000000004162774>] copy_page_to_iter+0x74/0x1c0 |
| [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560 |
| [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0 |
| [<90000000049aae34>] inet_recvmsg+0x54/0x100 |
| [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0 |
| [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0 |
| [<900000000481e27c>] sys_recvfrom+0x1c/0x40 |
| [<9000000004c076ec>] do_syscall+0x8c/0xc0 |
| [<9000000003731da4>] handle_syscall+0xc4/0x160 |
| Code: ... |
| ---[ end trace 0000000000000000 ]--- |
| Kernel panic - not syncing: Fatal exception |
| Kernel relocated by 0x3510000 |
| .text @ 0x9000000003710000 |
| .data @ 0x9000000004d70000 |
| .bss @ 0x9000000006469400 |
| ---[ end Kernel panic - not syncing: Fatal exception ]--- |
| [...] |
| |
| This crash happens every time when running sockmap_skb_verdict_shutdown |
| subtest in sockmap_basic. |
| |
| This crash is because a NULL pointer is passed to page_address() in the |
| sk_msg_recvmsg(). Due to the different implementations depending on the |
| architecture, page_address(NULL) will trigger a panic on Loongarch |
| platform but not on x86 platform. So this bug was hidden on x86 platform |
| for a while, but now it is exposed on Loongarch platform. The root cause |
| is that a zero length skb (skb->len == 0) was put on the queue. |
| |
| This zero length skb is a TCP FIN packet, which was sent by shutdown(), |
| invoked in test_sockmap_skb_verdict_shutdown(): |
| |
| shutdown(p1, SHUT_WR); |
| |
| In this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no |
| page is put to this sge (see sg_set_page in sg_set_page), but this empty |
| sge is queued into ingress_msg list. |
| |
| And in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by |
| sg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it |
| to kmap_local_page() and to page_address(), then kernel panics. |
| |
| To solve this, we should skip this zero length skb. So in sk_msg_recvmsg(), |
| if copy is zero, that means it's a zero length skb, skip invoking |
| copy_page_to_iter(). We are using the EFAULT return triggered by |
| copy_page_to_iter to check for is_fin in tcp_bpf.c. |
| |
| The Linux kernel CVE team has assigned CVE-2024-41048 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.15.163 with commit 195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632 |
| Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.1.100 with commit fb61d7b9fb6ef0032de469499a54dab4c7260d0d |
| Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.6.41 with commit b180739b45a38b4caa88fe16bb5273072e6613dc |
| Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.9.10 with commit f8bd689f37f4198a4c61c4684f591ba639595b97 |
| Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.10 with commit f0c18025693707ec344a70b6887f7450bf4c826b |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-41048 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/core/skmsg.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632 |
| https://git.kernel.org/stable/c/fb61d7b9fb6ef0032de469499a54dab4c7260d0d |
| https://git.kernel.org/stable/c/b180739b45a38b4caa88fe16bb5273072e6613dc |
| https://git.kernel.org/stable/c/f8bd689f37f4198a4c61c4684f591ba639595b97 |
| https://git.kernel.org/stable/c/f0c18025693707ec344a70b6887f7450bf4c826b |
