cve/published/2024/CVE-2024-50034.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50034: net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC

 Eric report a panic on IPPROTO_SMC, and give the facts
 that when INET_PROTOSW_ICSK was set, icsk->icsk_sync_mss must be set too.

 Bug: Unable to handle kernel NULL pointer dereference at virtual address
 0000000000000000
 Mem abort info:
 ESR = 0x0000000086000005
 EC = 0x21: IABT (current EL), IL = 32 bits
 SET = 0, FnV = 0
 EA = 0, S1PTW = 0
 FSC = 0x05: level 1 translation fault
 user pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000
 [0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003,
 pud=0000000000000000
 Internal error: Oops: 0000000086000005 [#1] PREEMPT SMP
 Modules linked in:
 CPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted
 6.11.0-rc7-syzkaller-g5f5673607153 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine,
 BIOS Google 08/06/2024
 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : 0x0
 lr : cipso_v4_sock_setattr+0x2a8/0x3c0 net/ipv4/cipso_ipv4.c:1910
 sp : ffff80009b887a90
 x29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000
 x26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00
 x23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000
 x20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79ee
 x17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001
 x14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003
 x11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1
 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f
 x5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000
 x2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000
 Call trace:
 0x0
 netlbl_sock_setattr+0x2e4/0x338 net/netlabel/netlabel_kapi.c:1000
 smack_netlbl_add+0xa4/0x154 security/smack/smack_lsm.c:2593
 smack_socket_post_create+0xa8/0x14c security/smack/smack_lsm.c:2973
 security_socket_post_create+0x94/0xd4 security/security.c:4425
 __sock_create+0x4c8/0x884 net/socket.c:1587
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x134/0x340 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __arm64_sys_socket+0x7c/0x94 net/socket.c:1718
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
 Code: ???????? ???????? ???????? ???????? (????????)
 ---[ end trace 0000000000000000 ]---

 This patch add a toy implementation that performs a simple return to
 prevent such panic. This is because MSS can be set in sock_create_kern
 or smc_setsockopt, similar to how it's done in AF_SMC. However, for
 AF_SMC, there is currently no way to synchronize MSS within
 __sys_connect_file. This toy implementation lays the groundwork for us
 to support such feature for IPPROTO_SMC in the future.

 The Linux kernel CVE team has assigned CVE-2024-50034 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.11 with commit d25a92ccae6bed02327b63d138e12e7806830f78 and fixed in 6.11.4 with commit 44dc50df15f5bd4221d8f708885a9d49cda7f57e
 	Issue introduced in 6.11 with commit d25a92ccae6bed02327b63d138e12e7806830f78 and fixed in 6.12 with commit 6fd27ea183c208e478129a85e11d880fc70040f2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50034
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/smc/smc_inet.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/44dc50df15f5bd4221d8f708885a9d49cda7f57e
 	https://git.kernel.org/stable/c/6fd27ea183c208e478129a85e11d880fc70040f2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50034: net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC

	Eric report a panic on IPPROTO_SMC, and give the facts
	that when INET_PROTOSW_ICSK was set, icsk->icsk_sync_mss must be set too.

	Bug: Unable to handle kernel NULL pointer dereference at virtual address
	0000000000000000
	Mem abort info:
	ESR = 0x0000000086000005
	EC = 0x21: IABT (current EL), IL = 32 bits
	SET = 0, FnV = 0
	EA = 0, S1PTW = 0
	FSC = 0x05: level 1 translation fault
	user pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000
	[0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003,
	pud=0000000000000000
	Internal error: Oops: 0000000086000005 [#1] PREEMPT SMP
	Modules linked in:
	CPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted
	6.11.0-rc7-syzkaller-g5f5673607153 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine,
	BIOS Google 08/06/2024
	pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	pc : 0x0
	lr : cipso_v4_sock_setattr+0x2a8/0x3c0 net/ipv4/cipso_ipv4.c:1910
	sp : ffff80009b887a90
	x29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000
	x26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00
	x23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000
	x20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79ee
	x17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001
	x14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003
	x11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1
	x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f
	x5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000
	x2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000
	Call trace:
	0x0
	netlbl_sock_setattr+0x2e4/0x338 net/netlabel/netlabel_kapi.c:1000
	smack_netlbl_add+0xa4/0x154 security/smack/smack_lsm.c:2593
	smack_socket_post_create+0xa8/0x14c security/smack/smack_lsm.c:2973
	security_socket_post_create+0x94/0xd4 security/security.c:4425
	__sock_create+0x4c8/0x884 net/socket.c:1587
	sock_create net/socket.c:1622 [inline]
	__sys_socket_create net/socket.c:1659 [inline]
	__sys_socket+0x134/0x340 net/socket.c:1706
	__do_sys_socket net/socket.c:1720 [inline]
	__se_sys_socket net/socket.c:1718 [inline]
	__arm64_sys_socket+0x7c/0x94 net/socket.c:1718
	__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
	invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
	el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
	do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
	el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
	el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
	el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
	Code: ???????? ???????? ???????? ???????? (????????)
	---[ end trace 0000000000000000 ]---

	This patch add a toy implementation that performs a simple return to
	prevent such panic. This is because MSS can be set in sock_create_kern
	or smc_setsockopt, similar to how it's done in AF_SMC. However, for
	AF_SMC, there is currently no way to synchronize MSS within
	__sys_connect_file. This toy implementation lays the groundwork for us
	to support such feature for IPPROTO_SMC in the future.

	The Linux kernel CVE team has assigned CVE-2024-50034 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.11 with commit d25a92ccae6bed02327b63d138e12e7806830f78 and fixed in 6.11.4 with commit 44dc50df15f5bd4221d8f708885a9d49cda7f57e
	Issue introduced in 6.11 with commit d25a92ccae6bed02327b63d138e12e7806830f78 and fixed in 6.12 with commit 6fd27ea183c208e478129a85e11d880fc70040f2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50034
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/smc/smc_inet.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/44dc50df15f5bd4221d8f708885a9d49cda7f57e
	https://git.kernel.org/stable/c/6fd27ea183c208e478129a85e11d880fc70040f2