cve/published/2022/CVE-2022-49450.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49450: rxrpc: Fix listen() setting the bar too high for the prealloc rings

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 rxrpc: Fix listen() setting the bar too high for the prealloc rings

 AF_RXRPC's listen() handler lets you set the backlog up to 32 (if you bump
 up the sysctl), but whilst the preallocation circular buffers have 32 slots
 in them, one of them has to be a dead slot because we're using CIRC_CNT().

 This means that listen(rxrpc_sock, 32) will cause an oops when the socket
 is closed because rxrpc_service_prealloc_one() allocated one too many calls
 and rxrpc_discard_prealloc() won't then be able to get rid of them because
 it'll think the ring is empty.  rxrpc_release_calls_on_socket() then tries
 to abort them, but oopses because call->peer isn't yet set.

 Fix this by setting the maximum backlog to RXRPC_BACKLOG_MAX - 1 to match
 the ring capacity.

  BUG: kernel NULL pointer dereference, address: 0000000000000086
  ...
  RIP: 0010:rxrpc_send_abort_packet+0x73/0x240 [rxrpc]
  Call Trace:
   <TASK>
   ? __wake_up_common_lock+0x7a/0x90
   ? rxrpc_notify_socket+0x8e/0x140 [rxrpc]
   ? rxrpc_abort_call+0x4c/0x60 [rxrpc]
   rxrpc_release_calls_on_socket+0x107/0x1a0 [rxrpc]
   rxrpc_release+0xc9/0x1c0 [rxrpc]
   __sock_release+0x37/0xa0
   sock_close+0x11/0x20
   __fput+0x89/0x240
   task_work_run+0x59/0x90
   do_exit+0x319/0xaa0

 The Linux kernel CVE team has assigned CVE-2022-49450 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 4.9.318 with commit 61fb38cfbb1d54d3dafd0c25752f684b3cd00b32
 	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 4.14.283 with commit 616f76498d5ddf26b997caf64a95cda3c8a55533
 	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 4.19.247 with commit 4a3a78b7918bdd723d8c7c9786522ca969bffcc4
 	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.4.198 with commit 91b34bf0409f43bb60453bab23c5beadd726d022
 	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.10.121 with commit 5b4826657d36c218e9f08e8d3223b0edce3de88f
 	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.15.46 with commit b3a9b227d5e7467b8518160ff034ea22bb9de573
 	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.17.14 with commit 369de57492c4f1a42563c5a3bd365822ca3bfc79
 	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.18.3 with commit e198f1930050e3115c80b67d9249f80f98a27c67
 	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.19 with commit 88e22159750b0d55793302eeed8ee603f5c1a95c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49450
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/rxrpc/sysctl.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/61fb38cfbb1d54d3dafd0c25752f684b3cd00b32
 	https://git.kernel.org/stable/c/616f76498d5ddf26b997caf64a95cda3c8a55533
 	https://git.kernel.org/stable/c/4a3a78b7918bdd723d8c7c9786522ca969bffcc4
 	https://git.kernel.org/stable/c/91b34bf0409f43bb60453bab23c5beadd726d022
 	https://git.kernel.org/stable/c/5b4826657d36c218e9f08e8d3223b0edce3de88f
 	https://git.kernel.org/stable/c/b3a9b227d5e7467b8518160ff034ea22bb9de573
 	https://git.kernel.org/stable/c/369de57492c4f1a42563c5a3bd365822ca3bfc79
 	https://git.kernel.org/stable/c/e198f1930050e3115c80b67d9249f80f98a27c67
 	https://git.kernel.org/stable/c/88e22159750b0d55793302eeed8ee603f5c1a95c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49450: rxrpc: Fix listen() setting the bar too high for the prealloc rings

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	rxrpc: Fix listen() setting the bar too high for the prealloc rings

	AF_RXRPC's listen() handler lets you set the backlog up to 32 (if you bump
	up the sysctl), but whilst the preallocation circular buffers have 32 slots
	in them, one of them has to be a dead slot because we're using CIRC_CNT().

	This means that listen(rxrpc_sock, 32) will cause an oops when the socket
	is closed because rxrpc_service_prealloc_one() allocated one too many calls
	and rxrpc_discard_prealloc() won't then be able to get rid of them because
	it'll think the ring is empty. rxrpc_release_calls_on_socket() then tries
	to abort them, but oopses because call->peer isn't yet set.

	Fix this by setting the maximum backlog to RXRPC_BACKLOG_MAX - 1 to match
	the ring capacity.

	BUG: kernel NULL pointer dereference, address: 0000000000000086
	...
	RIP: 0010:rxrpc_send_abort_packet+0x73/0x240 [rxrpc]
	Call Trace:
	<TASK>
	? __wake_up_common_lock+0x7a/0x90
	? rxrpc_notify_socket+0x8e/0x140 [rxrpc]
	? rxrpc_abort_call+0x4c/0x60 [rxrpc]
	rxrpc_release_calls_on_socket+0x107/0x1a0 [rxrpc]
	rxrpc_release+0xc9/0x1c0 [rxrpc]
	__sock_release+0x37/0xa0
	sock_close+0x11/0x20
	__fput+0x89/0x240
	task_work_run+0x59/0x90
	do_exit+0x319/0xaa0

	The Linux kernel CVE team has assigned CVE-2022-49450 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 4.9.318 with commit 61fb38cfbb1d54d3dafd0c25752f684b3cd00b32
	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 4.14.283 with commit 616f76498d5ddf26b997caf64a95cda3c8a55533
	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 4.19.247 with commit 4a3a78b7918bdd723d8c7c9786522ca969bffcc4
	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.4.198 with commit 91b34bf0409f43bb60453bab23c5beadd726d022
	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.10.121 with commit 5b4826657d36c218e9f08e8d3223b0edce3de88f
	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.15.46 with commit b3a9b227d5e7467b8518160ff034ea22bb9de573
	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.17.14 with commit 369de57492c4f1a42563c5a3bd365822ca3bfc79
	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.18.3 with commit e198f1930050e3115c80b67d9249f80f98a27c67
	Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.19 with commit 88e22159750b0d55793302eeed8ee603f5c1a95c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49450
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/rxrpc/sysctl.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/61fb38cfbb1d54d3dafd0c25752f684b3cd00b32
	https://git.kernel.org/stable/c/616f76498d5ddf26b997caf64a95cda3c8a55533
	https://git.kernel.org/stable/c/4a3a78b7918bdd723d8c7c9786522ca969bffcc4
	https://git.kernel.org/stable/c/91b34bf0409f43bb60453bab23c5beadd726d022
	https://git.kernel.org/stable/c/5b4826657d36c218e9f08e8d3223b0edce3de88f
	https://git.kernel.org/stable/c/b3a9b227d5e7467b8518160ff034ea22bb9de573
	https://git.kernel.org/stable/c/369de57492c4f1a42563c5a3bd365822ca3bfc79
	https://git.kernel.org/stable/c/e198f1930050e3115c80b67d9249f80f98a27c67
	https://git.kernel.org/stable/c/88e22159750b0d55793302eeed8ee603f5c1a95c