cve/published/2022/CVE-2022-48906.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48906: mptcp: Correctly set DATA_FIN timeout when number of retransmits is large

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mptcp: Correctly set DATA_FIN timeout when number of retransmits is large

 Syzkaller with UBSAN uncovered a scenario where a large number of
 DATA_FIN retransmits caused a shift-out-of-bounds in the DATA_FIN
 timeout calculation:

 ================================================================================
 UBSAN: shift-out-of-bounds in net/mptcp/protocol.c:470:29
 shift exponent 32 is too large for 32-bit type 'unsigned int'
 CPU: 1 PID: 13059 Comm: kworker/1:0 Not tainted 5.17.0-rc2-00630-g5fbf21c90c60 #1
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
 Workqueue: events mptcp_worker
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
  ubsan_epilogue+0xb/0x5a lib/ubsan.c:151
  __ubsan_handle_shift_out_of_bounds.cold+0xb2/0x20e lib/ubsan.c:330
  mptcp_set_datafin_timeout net/mptcp/protocol.c:470 [inline]
  __mptcp_retrans.cold+0x72/0x77 net/mptcp/protocol.c:2445
  mptcp_worker+0x58a/0xa70 net/mptcp/protocol.c:2528
  process_one_work+0x9df/0x16d0 kernel/workqueue.c:2307
  worker_thread+0x95/0xe10 kernel/workqueue.c:2454
  kthread+0x2f4/0x3b0 kernel/kthread.c:377
  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
  </TASK>
 ================================================================================

 This change limits the maximum timeout by limiting the size of the
 shift, which keeps all intermediate values in-bounds.

 The Linux kernel CVE team has assigned CVE-2022-48906 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit 6477dd39e62c3a67cfa368ddc127410b4ae424c6 and fixed in 5.15.27 with commit 0c3f34beb459753f9f80d0cc14c1b50ab615c631
 	Issue introduced in 5.13 with commit 6477dd39e62c3a67cfa368ddc127410b4ae424c6 and fixed in 5.16.13 with commit 03ae283bd71f761feae3f402668d698b393b0e79
 	Issue introduced in 5.13 with commit 6477dd39e62c3a67cfa368ddc127410b4ae424c6 and fixed in 5.17 with commit 877d11f0332cd2160e19e3313e262754c321fa36
 	Issue introduced in 5.12.4 with commit 0af76111c2a6326e4bb56f64a6e453c6ec6dd2da

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48906
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mptcp/protocol.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0c3f34beb459753f9f80d0cc14c1b50ab615c631
 	https://git.kernel.org/stable/c/03ae283bd71f761feae3f402668d698b393b0e79
 	https://git.kernel.org/stable/c/877d11f0332cd2160e19e3313e262754c321fa36
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48906: mptcp: Correctly set DATA_FIN timeout when number of retransmits is large

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mptcp: Correctly set DATA_FIN timeout when number of retransmits is large

	Syzkaller with UBSAN uncovered a scenario where a large number of
	DATA_FIN retransmits caused a shift-out-of-bounds in the DATA_FIN
	timeout calculation:

	================================================================================
	UBSAN: shift-out-of-bounds in net/mptcp/protocol.c:470:29
	shift exponent 32 is too large for 32-bit type 'unsigned int'
	CPU: 1 PID: 13059 Comm: kworker/1:0 Not tainted 5.17.0-rc2-00630-g5fbf21c90c60 #1
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
	Workqueue: events mptcp_worker
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
	ubsan_epilogue+0xb/0x5a lib/ubsan.c:151
	__ubsan_handle_shift_out_of_bounds.cold+0xb2/0x20e lib/ubsan.c:330
	mptcp_set_datafin_timeout net/mptcp/protocol.c:470 [inline]
	__mptcp_retrans.cold+0x72/0x77 net/mptcp/protocol.c:2445
	mptcp_worker+0x58a/0xa70 net/mptcp/protocol.c:2528
	process_one_work+0x9df/0x16d0 kernel/workqueue.c:2307
	worker_thread+0x95/0xe10 kernel/workqueue.c:2454
	kthread+0x2f4/0x3b0 kernel/kthread.c:377
	ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
	</TASK>
	================================================================================

	This change limits the maximum timeout by limiting the size of the
	shift, which keeps all intermediate values in-bounds.

	The Linux kernel CVE team has assigned CVE-2022-48906 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit 6477dd39e62c3a67cfa368ddc127410b4ae424c6 and fixed in 5.15.27 with commit 0c3f34beb459753f9f80d0cc14c1b50ab615c631
	Issue introduced in 5.13 with commit 6477dd39e62c3a67cfa368ddc127410b4ae424c6 and fixed in 5.16.13 with commit 03ae283bd71f761feae3f402668d698b393b0e79
	Issue introduced in 5.13 with commit 6477dd39e62c3a67cfa368ddc127410b4ae424c6 and fixed in 5.17 with commit 877d11f0332cd2160e19e3313e262754c321fa36
	Issue introduced in 5.12.4 with commit 0af76111c2a6326e4bb56f64a6e453c6ec6dd2da

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48906
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mptcp/protocol.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0c3f34beb459753f9f80d0cc14c1b50ab615c631
	https://git.kernel.org/stable/c/03ae283bd71f761feae3f402668d698b393b0e79
	https://git.kernel.org/stable/c/877d11f0332cd2160e19e3313e262754c321fa36