| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-53091: bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx |
| |
| As the introduction of the support for vsock and unix sockets in sockmap, |
| tls_sw_has_ctx_tx/rx cannot presume the socket passed in must be IS_ICSK. |
| vsock and af_unix sockets have vsock_sock and unix_sock instead of |
| inet_connection_sock. For these sockets, tls_get_ctx may return an invalid |
| pointer and cause page fault in function tls_sw_ctx_rx. |
| |
| BUG: unable to handle page fault for address: 0000000000040030 |
| Workqueue: vsock-loopback vsock_loopback_work |
| RIP: 0010:sk_psock_strp_data_ready+0x23/0x60 |
| Call Trace: |
| ? __die+0x81/0xc3 |
| ? no_context+0x194/0x350 |
| ? do_page_fault+0x30/0x110 |
| ? async_page_fault+0x3e/0x50 |
| ? sk_psock_strp_data_ready+0x23/0x60 |
| virtio_transport_recv_pkt+0x750/0x800 |
| ? update_load_avg+0x7e/0x620 |
| vsock_loopback_work+0xd0/0x100 |
| process_one_work+0x1a7/0x360 |
| worker_thread+0x30/0x390 |
| ? create_worker+0x1a0/0x1a0 |
| kthread+0x112/0x130 |
| ? __kthread_cancel_work+0x40/0x40 |
| ret_from_fork+0x1f/0x40 |
| |
| v2: |
| - Add IS_ICSK check |
| v3: |
| - Update the commits in Fixes |
| |
| The Linux kernel CVE team has assigned CVE-2024-53091 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.15 with commit 94531cfcbe79c3598acf96806627b2137ca32eb9 and fixed in 6.6.62 with commit a078a480ff3f43d74d8a024ae10c3c7daf6db149 |
| Issue introduced in 5.15 with commit 94531cfcbe79c3598acf96806627b2137ca32eb9 and fixed in 6.11.9 with commit 6781cfa93a6a1b7f5be6819a5a2dd8f30f47ca26 |
| Issue introduced in 5.15 with commit 94531cfcbe79c3598acf96806627b2137ca32eb9 and fixed in 6.12 with commit 44d0469f79bd3d0b3433732877358df7dc6b17b1 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-53091 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| include/net/tls.h |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/a078a480ff3f43d74d8a024ae10c3c7daf6db149 |
| https://git.kernel.org/stable/c/6781cfa93a6a1b7f5be6819a5a2dd8f30f47ca26 |
| https://git.kernel.org/stable/c/44d0469f79bd3d0b3433732877358df7dc6b17b1 |
