cve/published/2022/CVE-2022-49877.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49877: bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues

 When running `test_sockmap` selftests, the following warning appears:

   WARNING: CPU: 2 PID: 197 at net/core/stream.c:205 sk_stream_kill_queues+0xd3/0xf0
   Call Trace:
   <TASK>
   inet_csk_destroy_sock+0x55/0x110
   tcp_rcv_state_process+0xd28/0x1380
   ? tcp_v4_do_rcv+0x77/0x2c0
   tcp_v4_do_rcv+0x77/0x2c0
   __release_sock+0x106/0x130
   __tcp_close+0x1a7/0x4e0
   tcp_close+0x20/0x70
   inet_release+0x3c/0x80
   __sock_release+0x3a/0xb0
   sock_close+0x14/0x20
   __fput+0xa3/0x260
   task_work_run+0x59/0xb0
   exit_to_user_mode_prepare+0x1b3/0x1c0
   syscall_exit_to_user_mode+0x19/0x50
   do_syscall_64+0x48/0x90
   entry_SYSCALL_64_after_hwframe+0x44/0xae

 The root case is in commit 84472b436e76 ("bpf, sockmap: Fix more uncharged
 while msg has more_data"), where I used msg->sg.size to replace the tosend,
 causing breakage:

   if (msg->apply_bytes && msg->apply_bytes < tosend)
     tosend = psock->apply_bytes;

 The Linux kernel CVE team has assigned CVE-2022-49877 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4.189 with commit 244ce90c8d0bd10ebf957da02c6f3fcd5d920bdf and fixed in 5.4.225 with commit d975bec1eaeb52341acc9273db79ddb078220399
 	Issue introduced in 5.10.110 with commit 7b812a369e6416ab06d83cdd39d8e3f752781dd0 and fixed in 5.10.155 with commit cc21dc48a78cc9e5af9a4d039cd456446a6e73ff
 	Issue introduced in 5.15.33 with commit 168ff181f5b6e7fce684c98a30d35da1dbf8f82a and fixed in 5.15.79 with commit 95adbd2ac8de82e43fd6b347e7e1b47f74dc1abb
 	Issue introduced in 5.18 with commit 84472b436e760ba439e1969a9e3c5ae7c86de39d and fixed in 6.0.9 with commit 14e8bc3bf7bd6af64d7538a0684c8238d96cdfd7
 	Issue introduced in 5.18 with commit 84472b436e760ba439e1969a9e3c5ae7c86de39d and fixed in 6.1 with commit 8ec95b94716a1e4d126edc3fb2bc426a717e2dba
 	Issue introduced in 5.16.19 with commit 87d532d41ef937e16f61b3d2094f3a2ac49be365
 	Issue introduced in 5.17.2 with commit abb4caa477a5450817d2aa1198edce66450aecf8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49877
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/tcp_bpf.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d975bec1eaeb52341acc9273db79ddb078220399
 	https://git.kernel.org/stable/c/cc21dc48a78cc9e5af9a4d039cd456446a6e73ff
 	https://git.kernel.org/stable/c/95adbd2ac8de82e43fd6b347e7e1b47f74dc1abb
 	https://git.kernel.org/stable/c/14e8bc3bf7bd6af64d7538a0684c8238d96cdfd7
 	https://git.kernel.org/stable/c/8ec95b94716a1e4d126edc3fb2bc426a717e2dba
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49877: bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues

	When running `test_sockmap` selftests, the following warning appears:

	WARNING: CPU: 2 PID: 197 at net/core/stream.c:205 sk_stream_kill_queues+0xd3/0xf0
	Call Trace:
	<TASK>
	inet_csk_destroy_sock+0x55/0x110
	tcp_rcv_state_process+0xd28/0x1380
	? tcp_v4_do_rcv+0x77/0x2c0
	tcp_v4_do_rcv+0x77/0x2c0
	__release_sock+0x106/0x130
	__tcp_close+0x1a7/0x4e0
	tcp_close+0x20/0x70
	inet_release+0x3c/0x80
	__sock_release+0x3a/0xb0
	sock_close+0x14/0x20
	__fput+0xa3/0x260
	task_work_run+0x59/0xb0
	exit_to_user_mode_prepare+0x1b3/0x1c0
	syscall_exit_to_user_mode+0x19/0x50
	do_syscall_64+0x48/0x90
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	The root case is in commit 84472b436e76 ("bpf, sockmap: Fix more uncharged
	while msg has more_data"), where I used msg->sg.size to replace the tosend,
	causing breakage:

	if (msg->apply_bytes && msg->apply_bytes < tosend)
	tosend = psock->apply_bytes;

	The Linux kernel CVE team has assigned CVE-2022-49877 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4.189 with commit 244ce90c8d0bd10ebf957da02c6f3fcd5d920bdf and fixed in 5.4.225 with commit d975bec1eaeb52341acc9273db79ddb078220399
	Issue introduced in 5.10.110 with commit 7b812a369e6416ab06d83cdd39d8e3f752781dd0 and fixed in 5.10.155 with commit cc21dc48a78cc9e5af9a4d039cd456446a6e73ff
	Issue introduced in 5.15.33 with commit 168ff181f5b6e7fce684c98a30d35da1dbf8f82a and fixed in 5.15.79 with commit 95adbd2ac8de82e43fd6b347e7e1b47f74dc1abb
	Issue introduced in 5.18 with commit 84472b436e760ba439e1969a9e3c5ae7c86de39d and fixed in 6.0.9 with commit 14e8bc3bf7bd6af64d7538a0684c8238d96cdfd7
	Issue introduced in 5.18 with commit 84472b436e760ba439e1969a9e3c5ae7c86de39d and fixed in 6.1 with commit 8ec95b94716a1e4d126edc3fb2bc426a717e2dba
	Issue introduced in 5.16.19 with commit 87d532d41ef937e16f61b3d2094f3a2ac49be365
	Issue introduced in 5.17.2 with commit abb4caa477a5450817d2aa1198edce66450aecf8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49877
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/tcp_bpf.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d975bec1eaeb52341acc9273db79ddb078220399
	https://git.kernel.org/stable/c/cc21dc48a78cc9e5af9a4d039cd456446a6e73ff
	https://git.kernel.org/stable/c/95adbd2ac8de82e43fd6b347e7e1b47f74dc1abb
	https://git.kernel.org/stable/c/14e8bc3bf7bd6af64d7538a0684c8238d96cdfd7
	https://git.kernel.org/stable/c/8ec95b94716a1e4d126edc3fb2bc426a717e2dba