cve/published/2022/CVE-2022-48970.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48970: af_unix: Get user_ns from in_skb in unix_diag_get_exact().

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 af_unix: Get user_ns from in_skb in unix_diag_get_exact().

 Wei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed
 the root cause: in unix_diag_get_exact(), the newly allocated skb does not
 have sk. [2]

 We must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to
 sk_diag_fill().

 [0]:
 BUG: kernel NULL pointer dereference, address: 0000000000000270
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0
 Oops: 0000 [#1] PREEMPT SMP
 CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
 rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
 RIP: 0010:sk_user_ns include/net/sock.h:920 [inline]
 RIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline]
 RIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170
 Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8
 54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b
 9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d
 RSP: 0018:ffffc90000d67968 EFLAGS: 00010246
 RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d
 RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270
 RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000
 R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800
 R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940
 FS:  00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <TASK>
  unix_diag_get_exact net/unix/diag.c:285 [inline]
  unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317
  __sock_diag_cmd net/core/sock_diag.c:235 [inline]
  sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266
  netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564
  sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277
  netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
  netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356
  netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932
  sock_sendmsg_nosec net/socket.c:714 [inline]
  sock_sendmsg net/socket.c:734 [inline]
  ____sys_sendmsg+0x38f/0x500 net/socket.c:2476
  ___sys_sendmsg net/socket.c:2530 [inline]
  __sys_sendmsg+0x197/0x230 net/socket.c:2559
  __do_sys_sendmsg net/socket.c:2568 [inline]
  __se_sys_sendmsg net/socket.c:2566 [inline]
  __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
 RIP: 0033:0x4697f9
 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
 RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
 RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9
 RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
 RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80
 R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0
  </TASK>
 Modules linked in:
 CR2: 0000000000000270

 [1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/
 [2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/

 The Linux kernel CVE team has assigned CVE-2022-48970 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.3 with commit cae9910e73446cac68a54e3a7b02aaa12b689026 and fixed in 5.4.227 with commit c66d78aee55dab72c92020ebfbebc464d4f5dd2a
 	Issue introduced in 5.3 with commit cae9910e73446cac68a54e3a7b02aaa12b689026 and fixed in 5.10.159 with commit 575a6266f63dbb3b8eb1da03671451f0d81b8034
 	Issue introduced in 5.3 with commit cae9910e73446cac68a54e3a7b02aaa12b689026 and fixed in 5.15.83 with commit 5c014eb0ed6c8c57f483e94cc6e90f34ce426d91
 	Issue introduced in 5.3 with commit cae9910e73446cac68a54e3a7b02aaa12b689026 and fixed in 6.0.13 with commit 9c1d6f79a2c7b8221dcec27defc6dc461052ead4
 	Issue introduced in 5.3 with commit cae9910e73446cac68a54e3a7b02aaa12b689026 and fixed in 6.1 with commit b3abe42e94900bdd045c472f9c9be620ba5ce553

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48970
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/unix/diag.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c66d78aee55dab72c92020ebfbebc464d4f5dd2a
 	https://git.kernel.org/stable/c/575a6266f63dbb3b8eb1da03671451f0d81b8034
 	https://git.kernel.org/stable/c/5c014eb0ed6c8c57f483e94cc6e90f34ce426d91
 	https://git.kernel.org/stable/c/9c1d6f79a2c7b8221dcec27defc6dc461052ead4
 	https://git.kernel.org/stable/c/b3abe42e94900bdd045c472f9c9be620ba5ce553
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48970: af_unix: Get user_ns from in_skb in unix_diag_get_exact().

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	af_unix: Get user_ns from in_skb in unix_diag_get_exact().

	Wei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed
	the root cause: in unix_diag_get_exact(), the newly allocated skb does not
	have sk. [2]

	We must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to
	sk_diag_fill().

	[0]:
	BUG: kernel NULL pointer dereference, address: 0000000000000270
	#PF: supervisor read access in kernel mode
	#PF: error_code(0x0000) - not-present page
	PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0
	Oops: 0000 [#1] PREEMPT SMP
	CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
	rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
	RIP: 0010:sk_user_ns include/net/sock.h:920 [inline]
	RIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline]
	RIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170
	Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8
	54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b
	9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d
	RSP: 0018:ffffc90000d67968 EFLAGS: 00010246
	RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d
	RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270
	RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000
	R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800
	R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940
	FS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	unix_diag_get_exact net/unix/diag.c:285 [inline]
	unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317
	__sock_diag_cmd net/core/sock_diag.c:235 [inline]
	sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266
	netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564
	sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277
	netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
	netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356
	netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932
	sock_sendmsg_nosec net/socket.c:714 [inline]
	sock_sendmsg net/socket.c:734 [inline]
	____sys_sendmsg+0x38f/0x500 net/socket.c:2476
	___sys_sendmsg net/socket.c:2530 [inline]
	__sys_sendmsg+0x197/0x230 net/socket.c:2559
	__do_sys_sendmsg net/socket.c:2568 [inline]
	__se_sys_sendmsg net/socket.c:2566 [inline]
	__x64_sys_sendmsg+0x42/0x50 net/socket.c:2566
	do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
	entry_SYSCALL_64_after_hwframe+0x63/0xcd
	RIP: 0033:0x4697f9
	Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
	89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
	01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
	RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9
	RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
	RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80
	R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0
	</TASK>
	Modules linked in:
	CR2: 0000000000000270

	[1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/
	[2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/

	The Linux kernel CVE team has assigned CVE-2022-48970 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.3 with commit cae9910e73446cac68a54e3a7b02aaa12b689026 and fixed in 5.4.227 with commit c66d78aee55dab72c92020ebfbebc464d4f5dd2a
	Issue introduced in 5.3 with commit cae9910e73446cac68a54e3a7b02aaa12b689026 and fixed in 5.10.159 with commit 575a6266f63dbb3b8eb1da03671451f0d81b8034
	Issue introduced in 5.3 with commit cae9910e73446cac68a54e3a7b02aaa12b689026 and fixed in 5.15.83 with commit 5c014eb0ed6c8c57f483e94cc6e90f34ce426d91
	Issue introduced in 5.3 with commit cae9910e73446cac68a54e3a7b02aaa12b689026 and fixed in 6.0.13 with commit 9c1d6f79a2c7b8221dcec27defc6dc461052ead4
	Issue introduced in 5.3 with commit cae9910e73446cac68a54e3a7b02aaa12b689026 and fixed in 6.1 with commit b3abe42e94900bdd045c472f9c9be620ba5ce553

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48970
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/unix/diag.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c66d78aee55dab72c92020ebfbebc464d4f5dd2a
	https://git.kernel.org/stable/c/575a6266f63dbb3b8eb1da03671451f0d81b8034
	https://git.kernel.org/stable/c/5c014eb0ed6c8c57f483e94cc6e90f34ce426d91
	https://git.kernel.org/stable/c/9c1d6f79a2c7b8221dcec27defc6dc461052ead4
	https://git.kernel.org/stable/c/b3abe42e94900bdd045c472f9c9be620ba5ce553