cve/published/2022/CVE-2022-48839.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48839: net/packet: fix slab-out-of-bounds access in packet_recvmsg()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/packet: fix slab-out-of-bounds access in packet_recvmsg()

 syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH
 and mmap operations, tpacket_rcv() is queueing skbs with
 garbage in skb->cb[], triggering a too big copy [1]

 Presumably, users of af_packet using mmap() already gets correct
 metadata from the mapped buffer, we can simply make sure
 to clear 12 bytes that might be copied to user space later.

 BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
 BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
 Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631

 CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
  print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255
  __kasan_report mm/kasan/report.c:442 [inline]
  kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
  check_region_inline mm/kasan/generic.c:183 [inline]
  kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
  memcpy+0x39/0x60 mm/kasan/shadow.c:66
  memcpy include/linux/fortify-string.h:225 [inline]
  packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
  sock_recvmsg_nosec net/socket.c:948 [inline]
  sock_recvmsg net/socket.c:966 [inline]
  sock_recvmsg net/socket.c:962 [inline]
  ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632
  ___sys_recvmsg+0x127/0x200 net/socket.c:2674
  __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7fdfd5954c29
 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
 RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29
 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005
 RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60
 R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54
  </TASK>

 addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:
  ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246

 this frame has 1 object:
  [32, 160) 'addr'

 Memory state around the buggy address:
  ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00
  ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
 >ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
                                                                 ^
  ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1
  ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00
 ==================================================================

 The Linux kernel CVE team has assigned CVE-2022-48839 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 4.9.308 with commit b9d5772d60f8e7ef34e290f72fc20e3a4883e7d0
 	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 4.14.273 with commit b1e27cda1e3c12b705875bb7e247a97168580e33
 	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 4.19.236 with commit a33dd1e6693f80d805155b3f69c18c2f642915da
 	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 5.4.187 with commit 268dcf1f7b3193bc446ec3d14e08a240e9561e4d
 	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 5.10.108 with commit 70b7b3c055fd4a464da8da55ff4c1f84269f9b02
 	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 5.15.31 with commit a055f5f2841f7522b44a2b1eccb1951b4b03d51a
 	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 5.16.17 with commit ef591b35176029fdefea38e8388ffa371e18f4b2
 	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 5.17 with commit c700525fcc06b05adfea78039de02628af79e07a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48839
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/packet/af_packet.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b9d5772d60f8e7ef34e290f72fc20e3a4883e7d0
 	https://git.kernel.org/stable/c/b1e27cda1e3c12b705875bb7e247a97168580e33
 	https://git.kernel.org/stable/c/a33dd1e6693f80d805155b3f69c18c2f642915da
 	https://git.kernel.org/stable/c/268dcf1f7b3193bc446ec3d14e08a240e9561e4d
 	https://git.kernel.org/stable/c/70b7b3c055fd4a464da8da55ff4c1f84269f9b02
 	https://git.kernel.org/stable/c/a055f5f2841f7522b44a2b1eccb1951b4b03d51a
 	https://git.kernel.org/stable/c/ef591b35176029fdefea38e8388ffa371e18f4b2
 	https://git.kernel.org/stable/c/c700525fcc06b05adfea78039de02628af79e07a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48839: net/packet: fix slab-out-of-bounds access in packet_recvmsg()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/packet: fix slab-out-of-bounds access in packet_recvmsg()

	syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH
	and mmap operations, tpacket_rcv() is queueing skbs with
	garbage in skb->cb[], triggering a too big copy [1]

	Presumably, users of af_packet using mmap() already gets correct
	metadata from the mapped buffer, we can simply make sure
	to clear 12 bytes that might be copied to user space later.

	BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
	BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
	Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631

	CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
	print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255
	__kasan_report mm/kasan/report.c:442 [inline]
	kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
	check_region_inline mm/kasan/generic.c:183 [inline]
	kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
	memcpy+0x39/0x60 mm/kasan/shadow.c:66
	memcpy include/linux/fortify-string.h:225 [inline]
	packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
	sock_recvmsg_nosec net/socket.c:948 [inline]
	sock_recvmsg net/socket.c:966 [inline]
	sock_recvmsg net/socket.c:962 [inline]
	____sys_recvmsg+0x2c4/0x600 net/socket.c:2632
	___sys_recvmsg+0x127/0x200 net/socket.c:2674
	__sys_recvmsg+0xe2/0x1a0 net/socket.c:2704
	do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
	entry_SYSCALL_64_after_hwframe+0x44/0xae
	RIP: 0033:0x7fdfd5954c29
	Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
	RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29
	RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005
	RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
	R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60
	R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54
	</TASK>

	addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:
	____sys_recvmsg+0x0/0x600 include/linux/uio.h:246

	this frame has 1 object:
	[32, 160) 'addr'

	Memory state around the buggy address:
	ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00
	ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
	>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
	^
	ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1
	ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00
	==================================================================

	The Linux kernel CVE team has assigned CVE-2022-48839 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 4.9.308 with commit b9d5772d60f8e7ef34e290f72fc20e3a4883e7d0
	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 4.14.273 with commit b1e27cda1e3c12b705875bb7e247a97168580e33
	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 4.19.236 with commit a33dd1e6693f80d805155b3f69c18c2f642915da
	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 5.4.187 with commit 268dcf1f7b3193bc446ec3d14e08a240e9561e4d
	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 5.10.108 with commit 70b7b3c055fd4a464da8da55ff4c1f84269f9b02
	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 5.15.31 with commit a055f5f2841f7522b44a2b1eccb1951b4b03d51a
	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 5.16.17 with commit ef591b35176029fdefea38e8388ffa371e18f4b2
	Issue introduced in 2.6.14 with commit 0fb375fb9b93b7d822debc6a734052337ccfdb1f and fixed in 5.17 with commit c700525fcc06b05adfea78039de02628af79e07a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48839
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/packet/af_packet.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b9d5772d60f8e7ef34e290f72fc20e3a4883e7d0
	https://git.kernel.org/stable/c/b1e27cda1e3c12b705875bb7e247a97168580e33
	https://git.kernel.org/stable/c/a33dd1e6693f80d805155b3f69c18c2f642915da
	https://git.kernel.org/stable/c/268dcf1f7b3193bc446ec3d14e08a240e9561e4d
	https://git.kernel.org/stable/c/70b7b3c055fd4a464da8da55ff4c1f84269f9b02
	https://git.kernel.org/stable/c/a055f5f2841f7522b44a2b1eccb1951b4b03d51a
	https://git.kernel.org/stable/c/ef591b35176029fdefea38e8388ffa371e18f4b2
	https://git.kernel.org/stable/c/c700525fcc06b05adfea78039de02628af79e07a