cve/published/2022/CVE-2022-49840.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49840: bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()

 We got a syzkaller problem because of aarch64 alignment fault
 if KFENCE enabled. When the size from user bpf program is an odd
 number, like 399, 407, etc, it will cause the struct skb_shared_info's
 unaligned access. As seen below:

   BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032

   Use-after-free read at 0xffff6254fffac077 (in kfence-#213):
    __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline]
    arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline]
    arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline]
    atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline]
    __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032
    skb_clone+0xf4/0x214 net/core/skbuff.c:1481
    ____bpf_clone_redirect net/core/filter.c:2433 [inline]
    bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420
    bpf_prog_d3839dd9068ceb51+0x80/0x330
    bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline]
    bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53
    bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594
    bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]
    __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]
    __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381

   kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512

   allocated by task 15074 on cpu 0 at 1342.585390s:
    kmalloc include/linux/slab.h:568 [inline]
    kzalloc include/linux/slab.h:675 [inline]
    bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191
    bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512
    bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]
    __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]
    __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381
    __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381

 To fix the problem, we adjust @size so that (@size + @hearoom) is a
 multiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info
 is aligned to a cache line.

 The Linux kernel CVE team has assigned CVE-2022-49840 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 4.14.300 with commit 047824a730699c6c66df43306b80f700c9dfc2fd
 	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 4.19.267 with commit 730fb1ef974a13915bc7651364d8b3318891cd70
 	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 5.4.225 with commit 7a704dbfd3735304e261f2787c52fbc7c3884736
 	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 5.10.156 with commit e60f37a1d379c821c17b08f366412dce9ef3d99f
 	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 5.15.80 with commit eaa8edd86514afac9deb9bf9a5053e74f37edf40
 	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 6.0.10 with commit 1b597f2d6a55e9f549989913860ad5170da04964
 	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 6.1 with commit d3fd203f36d46aa29600a72d57a1b61af80e4a25

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49840
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bpf/test_run.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/047824a730699c6c66df43306b80f700c9dfc2fd
 	https://git.kernel.org/stable/c/730fb1ef974a13915bc7651364d8b3318891cd70
 	https://git.kernel.org/stable/c/7a704dbfd3735304e261f2787c52fbc7c3884736
 	https://git.kernel.org/stable/c/e60f37a1d379c821c17b08f366412dce9ef3d99f
 	https://git.kernel.org/stable/c/eaa8edd86514afac9deb9bf9a5053e74f37edf40
 	https://git.kernel.org/stable/c/1b597f2d6a55e9f549989913860ad5170da04964
 	https://git.kernel.org/stable/c/d3fd203f36d46aa29600a72d57a1b61af80e4a25
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49840: bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()

	We got a syzkaller problem because of aarch64 alignment fault
	if KFENCE enabled. When the size from user bpf program is an odd
	number, like 399, 407, etc, it will cause the struct skb_shared_info's
	unaligned access. As seen below:

	BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032

	Use-after-free read at 0xffff6254fffac077 (in kfence-#213):
	__lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline]
	arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline]
	arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline]
	atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline]
	__skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032
	skb_clone+0xf4/0x214 net/core/skbuff.c:1481
	____bpf_clone_redirect net/core/filter.c:2433 [inline]
	bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420
	bpf_prog_d3839dd9068ceb51+0x80/0x330
	bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline]
	bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53
	bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594
	bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]
	__do_sys_bpf kernel/bpf/syscall.c:4441 [inline]
	__se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381

	kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512

	allocated by task 15074 on cpu 0 at 1342.585390s:
	kmalloc include/linux/slab.h:568 [inline]
	kzalloc include/linux/slab.h:675 [inline]
	bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191
	bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512
	bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]
	__do_sys_bpf kernel/bpf/syscall.c:4441 [inline]
	__se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381
	__arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381

	To fix the problem, we adjust @size so that (@size + @hearoom) is a
	multiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info
	is aligned to a cache line.

	The Linux kernel CVE team has assigned CVE-2022-49840 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 4.14.300 with commit 047824a730699c6c66df43306b80f700c9dfc2fd
	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 4.19.267 with commit 730fb1ef974a13915bc7651364d8b3318891cd70
	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 5.4.225 with commit 7a704dbfd3735304e261f2787c52fbc7c3884736
	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 5.10.156 with commit e60f37a1d379c821c17b08f366412dce9ef3d99f
	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 5.15.80 with commit eaa8edd86514afac9deb9bf9a5053e74f37edf40
	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 6.0.10 with commit 1b597f2d6a55e9f549989913860ad5170da04964
	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 6.1 with commit d3fd203f36d46aa29600a72d57a1b61af80e4a25

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49840
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bpf/test_run.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/047824a730699c6c66df43306b80f700c9dfc2fd
	https://git.kernel.org/stable/c/730fb1ef974a13915bc7651364d8b3318891cd70
	https://git.kernel.org/stable/c/7a704dbfd3735304e261f2787c52fbc7c3884736
	https://git.kernel.org/stable/c/e60f37a1d379c821c17b08f366412dce9ef3d99f
	https://git.kernel.org/stable/c/eaa8edd86514afac9deb9bf9a5053e74f37edf40
	https://git.kernel.org/stable/c/1b597f2d6a55e9f549989913860ad5170da04964
	https://git.kernel.org/stable/c/d3fd203f36d46aa29600a72d57a1b61af80e4a25