cve/published/2022/CVE-2022-48855.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48855: sctp: fix kernel-infoleak for SCTP sockets

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 sctp: fix kernel-infoleak for SCTP sockets

 syzbot reported a kernel infoleak [1] of 4 bytes.

 After analysis, it turned out r->idiag_expires is not initialized
 if inet_sctp_diag_fill() calls inet_diag_msg_common_fill()

 Make sure to clear idiag_timer/idiag_retrans/idiag_expires
 and let inet_diag_msg_sctpasoc_fill() fill them again if needed.

 [1]

 BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
 BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline]
 BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
  instrument_copy_to_user include/linux/instrumented.h:121 [inline]
  copyout lib/iov_iter.c:154 [inline]
  _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
  copy_to_iter include/linux/uio.h:162 [inline]
  simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
  __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425
  skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
  skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline]
  netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977
  sock_recvmsg_nosec net/socket.c:948 [inline]
  sock_recvmsg net/socket.c:966 [inline]
  __sys_recvfrom+0x795/0xa10 net/socket.c:2097
  __do_sys_recvfrom net/socket.c:2115 [inline]
  __se_sys_recvfrom net/socket.c:2111 [inline]
  __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 Uninit was created at:
  slab_post_alloc_hook mm/slab.h:737 [inline]
  slab_alloc_node mm/slub.c:3247 [inline]
  __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975
  kmalloc_reserve net/core/skbuff.c:354 [inline]
  __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
  alloc_skb include/linux/skbuff.h:1158 [inline]
  netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248
  __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373
  netlink_dump_start include/linux/netlink.h:254 [inline]
  inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341
  sock_diag_rcv_msg+0x24a/0x620
  netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494
  sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277
  netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
  netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343
  netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919
  sock_sendmsg_nosec net/socket.c:705 [inline]
  sock_sendmsg net/socket.c:725 [inline]
  sock_write_iter+0x594/0x690 net/socket.c:1061
  do_iter_readv_writev+0xa7f/0xc70
  do_iter_write+0x52c/0x1500 fs/read_write.c:851
  vfs_writev fs/read_write.c:924 [inline]
  do_writev+0x645/0xe00 fs/read_write.c:967
  __do_sys_writev fs/read_write.c:1040 [inline]
  __se_sys_writev fs/read_write.c:1037 [inline]
  __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 Bytes 68-71 of 2508 are uninitialized
 Memory access of size 2508 starts at ffff888114f9b000
 Data copied to user address 00007f7fe09ff2e0

 CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

 The Linux kernel CVE team has assigned CVE-2022-48855 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 4.9.307 with commit 3fc0fd724d199e061432b66a8d85b7d48fe485f7
 	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 4.14.272 with commit 41a2864cf719c17294f417726edd411643462ab8
 	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 4.19.235 with commit 2d8fa3fdf4542a2174a72d92018f488d65d848c5
 	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 5.4.185 with commit bbf59d7ae558940cfa2b36a287fd1e88d83f89f8
 	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 5.10.106 with commit b7e4d9ba2ddb78801488b4c623875b81fb46b545
 	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 5.15.29 with commit 1502f15b9f29c41883a6139f2923523873282a83
 	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 5.16.15 with commit d828b0fe6631f3ae8709ac9a10c77c5836c76a08
 	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 5.17 with commit 633593a808980f82d251d0ca89730d8bb8b0220c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48855
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/sctp/diag.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3fc0fd724d199e061432b66a8d85b7d48fe485f7
 	https://git.kernel.org/stable/c/41a2864cf719c17294f417726edd411643462ab8
 	https://git.kernel.org/stable/c/2d8fa3fdf4542a2174a72d92018f488d65d848c5
 	https://git.kernel.org/stable/c/bbf59d7ae558940cfa2b36a287fd1e88d83f89f8
 	https://git.kernel.org/stable/c/b7e4d9ba2ddb78801488b4c623875b81fb46b545
 	https://git.kernel.org/stable/c/1502f15b9f29c41883a6139f2923523873282a83
 	https://git.kernel.org/stable/c/d828b0fe6631f3ae8709ac9a10c77c5836c76a08
 	https://git.kernel.org/stable/c/633593a808980f82d251d0ca89730d8bb8b0220c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48855: sctp: fix kernel-infoleak for SCTP sockets

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	sctp: fix kernel-infoleak for SCTP sockets

	syzbot reported a kernel infoleak [1] of 4 bytes.

	After analysis, it turned out r->idiag_expires is not initialized
	if inet_sctp_diag_fill() calls inet_diag_msg_common_fill()

	Make sure to clear idiag_timer/idiag_retrans/idiag_expires
	and let inet_diag_msg_sctpasoc_fill() fill them again if needed.

	[1]

	BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
	BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline]
	BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
	instrument_copy_to_user include/linux/instrumented.h:121 [inline]
	copyout lib/iov_iter.c:154 [inline]
	_copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
	copy_to_iter include/linux/uio.h:162 [inline]
	simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
	__skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425
	skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
	skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline]
	netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977
	sock_recvmsg_nosec net/socket.c:948 [inline]
	sock_recvmsg net/socket.c:966 [inline]
	__sys_recvfrom+0x795/0xa10 net/socket.c:2097
	__do_sys_recvfrom net/socket.c:2115 [inline]
	__se_sys_recvfrom net/socket.c:2111 [inline]
	__x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111
	do_syscall_x64 arch/x86/entry/common.c:51 [inline]
	do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	Uninit was created at:
	slab_post_alloc_hook mm/slab.h:737 [inline]
	slab_alloc_node mm/slub.c:3247 [inline]
	__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975
	kmalloc_reserve net/core/skbuff.c:354 [inline]
	__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
	alloc_skb include/linux/skbuff.h:1158 [inline]
	netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248
	__netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373
	netlink_dump_start include/linux/netlink.h:254 [inline]
	inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341
	sock_diag_rcv_msg+0x24a/0x620
	netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494
	sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277
	netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
	netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343
	netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919
	sock_sendmsg_nosec net/socket.c:705 [inline]
	sock_sendmsg net/socket.c:725 [inline]
	sock_write_iter+0x594/0x690 net/socket.c:1061
	do_iter_readv_writev+0xa7f/0xc70
	do_iter_write+0x52c/0x1500 fs/read_write.c:851
	vfs_writev fs/read_write.c:924 [inline]
	do_writev+0x645/0xe00 fs/read_write.c:967
	__do_sys_writev fs/read_write.c:1040 [inline]
	__se_sys_writev fs/read_write.c:1037 [inline]
	__x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
	do_syscall_x64 arch/x86/entry/common.c:51 [inline]
	do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	Bytes 68-71 of 2508 are uninitialized
	Memory access of size 2508 starts at ffff888114f9b000
	Data copied to user address 00007f7fe09ff2e0

	CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

	The Linux kernel CVE team has assigned CVE-2022-48855 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 4.9.307 with commit 3fc0fd724d199e061432b66a8d85b7d48fe485f7
	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 4.14.272 with commit 41a2864cf719c17294f417726edd411643462ab8
	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 4.19.235 with commit 2d8fa3fdf4542a2174a72d92018f488d65d848c5
	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 5.4.185 with commit bbf59d7ae558940cfa2b36a287fd1e88d83f89f8
	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 5.10.106 with commit b7e4d9ba2ddb78801488b4c623875b81fb46b545
	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 5.15.29 with commit 1502f15b9f29c41883a6139f2923523873282a83
	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 5.16.15 with commit d828b0fe6631f3ae8709ac9a10c77c5836c76a08
	Issue introduced in 4.7 with commit 8f840e47f190cbe61a96945c13e9551048d42cef and fixed in 5.17 with commit 633593a808980f82d251d0ca89730d8bb8b0220c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48855
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/sctp/diag.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3fc0fd724d199e061432b66a8d85b7d48fe485f7
	https://git.kernel.org/stable/c/41a2864cf719c17294f417726edd411643462ab8
	https://git.kernel.org/stable/c/2d8fa3fdf4542a2174a72d92018f488d65d848c5
	https://git.kernel.org/stable/c/bbf59d7ae558940cfa2b36a287fd1e88d83f89f8
	https://git.kernel.org/stable/c/b7e4d9ba2ddb78801488b4c623875b81fb46b545
	https://git.kernel.org/stable/c/1502f15b9f29c41883a6139f2923523873282a83
	https://git.kernel.org/stable/c/d828b0fe6631f3ae8709ac9a10c77c5836c76a08
	https://git.kernel.org/stable/c/633593a808980f82d251d0ca89730d8bb8b0220c