cve/published/2022/CVE-2022-49732.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49732: sock: redo the psock vs ULP protection check

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 sock: redo the psock vs ULP protection check

 Commit 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()")
 has moved the inet_csk_has_ulp(sk) check from sk_psock_init() to
 the new tcp_bpf_update_proto() function. I'm guessing that this
 was done to allow creating psocks for non-inet sockets.

 Unfortunately the destruction path for psock includes the ULP
 unwind, so we need to fail the sk_psock_init() itself.
 Otherwise if ULP is already present we'll notice that later,
 and call tcp_update_ulp() with the sk_proto of the ULP
 itself, which will most likely result in the ULP looping
 its callbacks.

 The Linux kernel CVE team has assigned CVE-2022-49732 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit 8a59f9d1e3d4340659fdfee8879dc09a6f2546e1 and fixed in 5.15.51 with commit 72fa0f65b56605b8a9ae9fba2082f2123f7fe017
 	Issue introduced in 5.13 with commit 8a59f9d1e3d4340659fdfee8879dc09a6f2546e1 and fixed in 5.18.8 with commit 922309e50befb0cfa5cb65e4989b7706d6578846
 	Issue introduced in 5.13 with commit 8a59f9d1e3d4340659fdfee8879dc09a6f2546e1 and fixed in 5.19 with commit e34a07c0ae3906f97eb18df50902e2a01c1015b6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49732
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/net/inet_sock.h
 	net/core/skmsg.c
 	net/ipv4/tcp_bpf.c
 	net/tls/tls_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/72fa0f65b56605b8a9ae9fba2082f2123f7fe017
 	https://git.kernel.org/stable/c/922309e50befb0cfa5cb65e4989b7706d6578846
 	https://git.kernel.org/stable/c/e34a07c0ae3906f97eb18df50902e2a01c1015b6
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49732: sock: redo the psock vs ULP protection check

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	sock: redo the psock vs ULP protection check

	Commit 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()")
	has moved the inet_csk_has_ulp(sk) check from sk_psock_init() to
	the new tcp_bpf_update_proto() function. I'm guessing that this
	was done to allow creating psocks for non-inet sockets.

	Unfortunately the destruction path for psock includes the ULP
	unwind, so we need to fail the sk_psock_init() itself.
	Otherwise if ULP is already present we'll notice that later,
	and call tcp_update_ulp() with the sk_proto of the ULP
	itself, which will most likely result in the ULP looping
	its callbacks.

	The Linux kernel CVE team has assigned CVE-2022-49732 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit 8a59f9d1e3d4340659fdfee8879dc09a6f2546e1 and fixed in 5.15.51 with commit 72fa0f65b56605b8a9ae9fba2082f2123f7fe017
	Issue introduced in 5.13 with commit 8a59f9d1e3d4340659fdfee8879dc09a6f2546e1 and fixed in 5.18.8 with commit 922309e50befb0cfa5cb65e4989b7706d6578846
	Issue introduced in 5.13 with commit 8a59f9d1e3d4340659fdfee8879dc09a6f2546e1 and fixed in 5.19 with commit e34a07c0ae3906f97eb18df50902e2a01c1015b6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49732
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/net/inet_sock.h
	net/core/skmsg.c
	net/ipv4/tcp_bpf.c
	net/tls/tls_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/72fa0f65b56605b8a9ae9fba2082f2123f7fe017
	https://git.kernel.org/stable/c/922309e50befb0cfa5cb65e4989b7706d6578846
	https://git.kernel.org/stable/c/e34a07c0ae3906f97eb18df50902e2a01c1015b6