cve/published/2022/CVE-2022-49456.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49456: bonding: fix missed rcu protection

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bonding: fix missed rcu protection

 When removing the rcu_read_lock in bond_ethtool_get_ts_info() as
 discussed [1], I didn't notice it could be called via setsockopt,
 which doesn't hold rcu lock, as syzbot pointed:

   stack backtrace:
   CPU: 0 PID: 3599 Comm: syz-executor317 Not tainted 5.18.0-rc5-syzkaller-01392-g01f4685797a5 #0
   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
   Call Trace:
    <TASK>
    __dump_stack lib/dump_stack.c:88 [inline]
    dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
    bond_option_active_slave_get_rcu include/net/bonding.h:353 [inline]
    bond_ethtool_get_ts_info+0x32c/0x3a0 drivers/net/bonding/bond_main.c:5595
    __ethtool_get_ts_info+0x173/0x240 net/ethtool/common.c:554
    ethtool_get_phc_vclocks+0x99/0x110 net/ethtool/common.c:568
    sock_timestamping_bind_phc net/core/sock.c:869 [inline]
    sock_set_timestamping+0x3a3/0x7e0 net/core/sock.c:916
    sock_setsockopt+0x543/0x2ec0 net/core/sock.c:1221
    __sys_setsockopt+0x55e/0x6a0 net/socket.c:2223
    __do_sys_setsockopt net/socket.c:2238 [inline]
    __se_sys_setsockopt net/socket.c:2235 [inline]
    __x64_sys_setsockopt+0xba/0x150 net/socket.c:2235
    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
    entry_SYSCALL_64_after_hwframe+0x44/0xae
   RIP: 0033:0x7f8902c8eb39

 Fix it by adding rcu_read_lock and take a ref on the real_dev.
 Since dev_hold() and dev_put() can take NULL these days, we can
 skip checking if real_dev exist.

 [1] https://lore.kernel.org/netdev/27565.1642742439@famine/

 The Linux kernel CVE team has assigned CVE-2022-49456 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit aa6034678e873db8bd5c5a4b73f8b88c469374d6 and fixed in 5.17.14 with commit 1b66a533c47d29b38af8e05fbb53b609a5ba3a4e
 	Issue introduced in 5.17 with commit aa6034678e873db8bd5c5a4b73f8b88c469374d6 and fixed in 5.18.3 with commit 85eed460681da71b359ed906bce4d800081db854
 	Issue introduced in 5.17 with commit aa6034678e873db8bd5c5a4b73f8b88c469374d6 and fixed in 5.19 with commit 9b80ccda233fa6c59de411bf889cc4d0e028f2c7

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49456
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/bonding/bond_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1b66a533c47d29b38af8e05fbb53b609a5ba3a4e
 	https://git.kernel.org/stable/c/85eed460681da71b359ed906bce4d800081db854
 	https://git.kernel.org/stable/c/9b80ccda233fa6c59de411bf889cc4d0e028f2c7
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49456: bonding: fix missed rcu protection

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bonding: fix missed rcu protection

	When removing the rcu_read_lock in bond_ethtool_get_ts_info() as
	discussed [1], I didn't notice it could be called via setsockopt,
	which doesn't hold rcu lock, as syzbot pointed:

	stack backtrace:
	CPU: 0 PID: 3599 Comm: syz-executor317 Not tainted 5.18.0-rc5-syzkaller-01392-g01f4685797a5 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
	bond_option_active_slave_get_rcu include/net/bonding.h:353 [inline]
	bond_ethtool_get_ts_info+0x32c/0x3a0 drivers/net/bonding/bond_main.c:5595
	__ethtool_get_ts_info+0x173/0x240 net/ethtool/common.c:554
	ethtool_get_phc_vclocks+0x99/0x110 net/ethtool/common.c:568
	sock_timestamping_bind_phc net/core/sock.c:869 [inline]
	sock_set_timestamping+0x3a3/0x7e0 net/core/sock.c:916
	sock_setsockopt+0x543/0x2ec0 net/core/sock.c:1221
	__sys_setsockopt+0x55e/0x6a0 net/socket.c:2223
	__do_sys_setsockopt net/socket.c:2238 [inline]
	__se_sys_setsockopt net/socket.c:2235 [inline]
	__x64_sys_setsockopt+0xba/0x150 net/socket.c:2235
	do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
	entry_SYSCALL_64_after_hwframe+0x44/0xae
	RIP: 0033:0x7f8902c8eb39

	Fix it by adding rcu_read_lock and take a ref on the real_dev.
	Since dev_hold() and dev_put() can take NULL these days, we can
	skip checking if real_dev exist.

	[1] https://lore.kernel.org/netdev/27565.1642742439@famine/

	The Linux kernel CVE team has assigned CVE-2022-49456 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit aa6034678e873db8bd5c5a4b73f8b88c469374d6 and fixed in 5.17.14 with commit 1b66a533c47d29b38af8e05fbb53b609a5ba3a4e
	Issue introduced in 5.17 with commit aa6034678e873db8bd5c5a4b73f8b88c469374d6 and fixed in 5.18.3 with commit 85eed460681da71b359ed906bce4d800081db854
	Issue introduced in 5.17 with commit aa6034678e873db8bd5c5a4b73f8b88c469374d6 and fixed in 5.19 with commit 9b80ccda233fa6c59de411bf889cc4d0e028f2c7

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49456
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/bonding/bond_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1b66a533c47d29b38af8e05fbb53b609a5ba3a4e
	https://git.kernel.org/stable/c/85eed460681da71b359ed906bce4d800081db854
	https://git.kernel.org/stable/c/9b80ccda233fa6c59de411bf889cc4d0e028f2c7