cve/published/2022/CVE-2022-49204.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49204: bpf, sockmap: Fix more uncharged while msg has more_data

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf, sockmap: Fix more uncharged while msg has more_data

 In tcp_bpf_send_verdict(), if msg has more data after
 tcp_bpf_sendmsg_redir():

 tcp_bpf_send_verdict()
  tosend = msg->sg.size  //msg->sg.size = 22220
  case __SK_REDIRECT:
   sk_msg_return()  //uncharged msg->sg.size(22220) sk->sk_forward_alloc
   tcp_bpf_sendmsg_redir() //after tcp_bpf_sendmsg_redir, msg->sg.size=11000
  goto more_data;
  tosend = msg->sg.size  //msg->sg.size = 11000
  case __SK_REDIRECT:
   sk_msg_return()  //uncharged msg->sg.size(11000) to sk->sk_forward_alloc

 The msg->sg.size(11000) has been uncharged twice, to fix we can charge the
 remaining msg->sg.size before goto more data.

 This issue can cause the following info:
 WARNING: CPU: 0 PID: 9860 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0
 Call Trace:
  <TASK>
  inet_csk_destroy_sock+0x55/0x110
  __tcp_close+0x279/0x470
  tcp_close+0x1f/0x60
  inet_release+0x3f/0x80
  __sock_release+0x3d/0xb0
  sock_close+0x11/0x20
  __fput+0x92/0x250
  task_work_run+0x6a/0xa0
  do_exit+0x33b/0xb60
  do_group_exit+0x2f/0xa0
  get_signal+0xb6/0x950
  arch_do_signal_or_restart+0xac/0x2a0
  ? vfs_write+0x237/0x290
  exit_to_user_mode_prepare+0xa9/0x200
  syscall_exit_to_user_mode+0x12/0x30
  do_syscall_64+0x46/0x80
  entry_SYSCALL_64_after_hwframe+0x44/0xae
  </TASK>

 WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260
 Call Trace:
  <TASK>
  __sk_destruct+0x24/0x1f0
  sk_psock_destroy+0x19b/0x1c0
  process_one_work+0x1b3/0x3c0
  worker_thread+0x30/0x350
  ? process_one_work+0x3c0/0x3c0
  kthread+0xe6/0x110
  ? kthread_complete_and_exit+0x20/0x20
  ret_from_fork+0x22/0x30
  </TASK>

 The Linux kernel CVE team has assigned CVE-2022-49204 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.4.189 with commit 244ce90c8d0bd10ebf957da02c6f3fcd5d920bdf
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.10.110 with commit 7b812a369e6416ab06d83cdd39d8e3f752781dd0
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.15.33 with commit 168ff181f5b6e7fce684c98a30d35da1dbf8f82a
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.16.19 with commit 87d532d41ef937e16f61b3d2094f3a2ac49be365
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.17.2 with commit abb4caa477a5450817d2aa1198edce66450aecf8
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.18 with commit 84472b436e760ba439e1969a9e3c5ae7c86de39d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49204
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/tcp_bpf.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/244ce90c8d0bd10ebf957da02c6f3fcd5d920bdf
 	https://git.kernel.org/stable/c/7b812a369e6416ab06d83cdd39d8e3f752781dd0
 	https://git.kernel.org/stable/c/168ff181f5b6e7fce684c98a30d35da1dbf8f82a
 	https://git.kernel.org/stable/c/87d532d41ef937e16f61b3d2094f3a2ac49be365
 	https://git.kernel.org/stable/c/abb4caa477a5450817d2aa1198edce66450aecf8
 	https://git.kernel.org/stable/c/84472b436e760ba439e1969a9e3c5ae7c86de39d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49204: bpf, sockmap: Fix more uncharged while msg has more_data

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf, sockmap: Fix more uncharged while msg has more_data

	In tcp_bpf_send_verdict(), if msg has more data after
	tcp_bpf_sendmsg_redir():

	tcp_bpf_send_verdict()
	tosend = msg->sg.size //msg->sg.size = 22220
	case __SK_REDIRECT:
	sk_msg_return() //uncharged msg->sg.size(22220) sk->sk_forward_alloc
	tcp_bpf_sendmsg_redir() //after tcp_bpf_sendmsg_redir, msg->sg.size=11000
	goto more_data;
	tosend = msg->sg.size //msg->sg.size = 11000
	case __SK_REDIRECT:
	sk_msg_return() //uncharged msg->sg.size(11000) to sk->sk_forward_alloc

	The msg->sg.size(11000) has been uncharged twice, to fix we can charge the
	remaining msg->sg.size before goto more data.

	This issue can cause the following info:
	WARNING: CPU: 0 PID: 9860 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0
	Call Trace:
	<TASK>
	inet_csk_destroy_sock+0x55/0x110
	__tcp_close+0x279/0x470
	tcp_close+0x1f/0x60
	inet_release+0x3f/0x80
	__sock_release+0x3d/0xb0
	sock_close+0x11/0x20
	__fput+0x92/0x250
	task_work_run+0x6a/0xa0
	do_exit+0x33b/0xb60
	do_group_exit+0x2f/0xa0
	get_signal+0xb6/0x950
	arch_do_signal_or_restart+0xac/0x2a0
	? vfs_write+0x237/0x290
	exit_to_user_mode_prepare+0xa9/0x200
	syscall_exit_to_user_mode+0x12/0x30
	do_syscall_64+0x46/0x80
	entry_SYSCALL_64_after_hwframe+0x44/0xae
	</TASK>

	WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260
	Call Trace:
	<TASK>
	__sk_destruct+0x24/0x1f0
	sk_psock_destroy+0x19b/0x1c0
	process_one_work+0x1b3/0x3c0
	worker_thread+0x30/0x350
	? process_one_work+0x3c0/0x3c0
	kthread+0xe6/0x110
	? kthread_complete_and_exit+0x20/0x20
	ret_from_fork+0x22/0x30
	</TASK>

	The Linux kernel CVE team has assigned CVE-2022-49204 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.4.189 with commit 244ce90c8d0bd10ebf957da02c6f3fcd5d920bdf
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.10.110 with commit 7b812a369e6416ab06d83cdd39d8e3f752781dd0
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.15.33 with commit 168ff181f5b6e7fce684c98a30d35da1dbf8f82a
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.16.19 with commit 87d532d41ef937e16f61b3d2094f3a2ac49be365
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.17.2 with commit abb4caa477a5450817d2aa1198edce66450aecf8
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.18 with commit 84472b436e760ba439e1969a9e3c5ae7c86de39d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49204
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/tcp_bpf.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/244ce90c8d0bd10ebf957da02c6f3fcd5d920bdf
	https://git.kernel.org/stable/c/7b812a369e6416ab06d83cdd39d8e3f752781dd0
	https://git.kernel.org/stable/c/168ff181f5b6e7fce684c98a30d35da1dbf8f82a
	https://git.kernel.org/stable/c/87d532d41ef937e16f61b3d2094f3a2ac49be365
	https://git.kernel.org/stable/c/abb4caa477a5450817d2aa1198edce66450aecf8
	https://git.kernel.org/stable/c/84472b436e760ba439e1969a9e3c5ae7c86de39d