cve/published/2023/CVE-2023-52523.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52523: bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets

 With a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages
 sent from one TCP socket (s1) to actually egress from another TCP
 socket (s2):

 tcp_bpf_sendmsg(s1)		// = sk_prot->sendmsg
   tcp_bpf_send_verdict(s1)	// __SK_REDIRECT case
     tcp_bpf_sendmsg_redir(s2)
       tcp_bpf_push_locked(s2)
 	tcp_bpf_push(s2)
 	  tcp_rate_check_app_limited(s2) // expects tcp_sock
 	  tcp_sendmsg_locked(s2)	 // ditto

 There is a hard-coded assumption in the call-chain, that the egress
 socket (s2) is a TCP socket.

 However in commit 122e6c79efe1 ("sock_map: Update sock type checks for
 UDP") we have enabled redirects to non-TCP sockets. This was done for the
 sake of BPF sk_skb programs. There was no indention to support sk_msg
 send-to-egress use case.

 As a result, attempts to send-to-egress through a non-TCP socket lead to a
 crash due to invalid downcast from sock to tcp_sock:

  BUG: kernel NULL pointer dereference, address: 000000000000002f
  ...
  Call Trace:
   <TASK>
   ? show_regs+0x60/0x70
   ? __die+0x1f/0x70
   ? page_fault_oops+0x80/0x160
   ? do_user_addr_fault+0x2d7/0x800
   ? rcu_is_watching+0x11/0x50
   ? exc_page_fault+0x70/0x1c0
   ? asm_exc_page_fault+0x27/0x30
   ? tcp_tso_segs+0x14/0xa0
   tcp_write_xmit+0x67/0xce0
   __tcp_push_pending_frames+0x32/0xf0
   tcp_push+0x107/0x140
   tcp_sendmsg_locked+0x99f/0xbb0
   tcp_bpf_push+0x19d/0x3a0
   tcp_bpf_sendmsg_redir+0x55/0xd0
   tcp_bpf_send_verdict+0x407/0x550
   tcp_bpf_sendmsg+0x1a1/0x390
   inet_sendmsg+0x6a/0x70
   sock_sendmsg+0x9d/0xc0
   ? sockfd_lookup_light+0x12/0x80
   __sys_sendto+0x10e/0x160
   ? syscall_enter_from_user_mode+0x20/0x60
   ? __this_cpu_preempt_check+0x13/0x20
   ? lockdep_hardirqs_on+0x82/0x110
   __x64_sys_sendto+0x1f/0x30
   do_syscall_64+0x38/0x90
   entry_SYSCALL_64_after_hwframe+0x63/0xcd

 Reject selecting a non-TCP sockets as redirect target from a BPF sk_msg
 program to prevent the crash. When attempted, user will receive an EACCES
 error from send/sendto/sendmsg() syscall.

 The Linux kernel CVE team has assigned CVE-2023-52523 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit 122e6c79efe1c25816118aca9cfabe54e99c2432 and fixed in 5.15.135 with commit bc8b89b6963803a123f64aa9494155a037b3d728
 	Issue introduced in 5.13 with commit 122e6c79efe1c25816118aca9cfabe54e99c2432 and fixed in 6.1.57 with commit b8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2
 	Issue introduced in 5.13 with commit 122e6c79efe1c25816118aca9cfabe54e99c2432 and fixed in 6.5.7 with commit ded6e448028f0f91b6af35985afca01fa02a9089
 	Issue introduced in 5.13 with commit 122e6c79efe1c25816118aca9cfabe54e99c2432 and fixed in 6.6 with commit b80e31baa43614e086a9d29dc1151932b1bd7fc5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52523
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/core/sock_map.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/bc8b89b6963803a123f64aa9494155a037b3d728
 	https://git.kernel.org/stable/c/b8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2
 	https://git.kernel.org/stable/c/ded6e448028f0f91b6af35985afca01fa02a9089
 	https://git.kernel.org/stable/c/b80e31baa43614e086a9d29dc1151932b1bd7fc5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52523: bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets

	With a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages
	sent from one TCP socket (s1) to actually egress from another TCP
	socket (s2):

	tcp_bpf_sendmsg(s1) // = sk_prot->sendmsg
	tcp_bpf_send_verdict(s1) // __SK_REDIRECT case
	tcp_bpf_sendmsg_redir(s2)
	tcp_bpf_push_locked(s2)
	tcp_bpf_push(s2)
	tcp_rate_check_app_limited(s2) // expects tcp_sock
	tcp_sendmsg_locked(s2) // ditto

	There is a hard-coded assumption in the call-chain, that the egress
	socket (s2) is a TCP socket.

	However in commit 122e6c79efe1 ("sock_map: Update sock type checks for
	UDP") we have enabled redirects to non-TCP sockets. This was done for the
	sake of BPF sk_skb programs. There was no indention to support sk_msg
	send-to-egress use case.

	As a result, attempts to send-to-egress through a non-TCP socket lead to a
	crash due to invalid downcast from sock to tcp_sock:

	BUG: kernel NULL pointer dereference, address: 000000000000002f
	...
	Call Trace:
	<TASK>
	? show_regs+0x60/0x70
	? __die+0x1f/0x70
	? page_fault_oops+0x80/0x160
	? do_user_addr_fault+0x2d7/0x800
	? rcu_is_watching+0x11/0x50
	? exc_page_fault+0x70/0x1c0
	? asm_exc_page_fault+0x27/0x30
	? tcp_tso_segs+0x14/0xa0
	tcp_write_xmit+0x67/0xce0
	__tcp_push_pending_frames+0x32/0xf0
	tcp_push+0x107/0x140
	tcp_sendmsg_locked+0x99f/0xbb0
	tcp_bpf_push+0x19d/0x3a0
	tcp_bpf_sendmsg_redir+0x55/0xd0
	tcp_bpf_send_verdict+0x407/0x550
	tcp_bpf_sendmsg+0x1a1/0x390
	inet_sendmsg+0x6a/0x70
	sock_sendmsg+0x9d/0xc0
	? sockfd_lookup_light+0x12/0x80
	__sys_sendto+0x10e/0x160
	? syscall_enter_from_user_mode+0x20/0x60
	? __this_cpu_preempt_check+0x13/0x20
	? lockdep_hardirqs_on+0x82/0x110
	__x64_sys_sendto+0x1f/0x30
	do_syscall_64+0x38/0x90
	entry_SYSCALL_64_after_hwframe+0x63/0xcd

	Reject selecting a non-TCP sockets as redirect target from a BPF sk_msg
	program to prevent the crash. When attempted, user will receive an EACCES
	error from send/sendto/sendmsg() syscall.

	The Linux kernel CVE team has assigned CVE-2023-52523 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit 122e6c79efe1c25816118aca9cfabe54e99c2432 and fixed in 5.15.135 with commit bc8b89b6963803a123f64aa9494155a037b3d728
	Issue introduced in 5.13 with commit 122e6c79efe1c25816118aca9cfabe54e99c2432 and fixed in 6.1.57 with commit b8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2
	Issue introduced in 5.13 with commit 122e6c79efe1c25816118aca9cfabe54e99c2432 and fixed in 6.5.7 with commit ded6e448028f0f91b6af35985afca01fa02a9089
	Issue introduced in 5.13 with commit 122e6c79efe1c25816118aca9cfabe54e99c2432 and fixed in 6.6 with commit b80e31baa43614e086a9d29dc1151932b1bd7fc5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52523
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/core/sock_map.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/bc8b89b6963803a123f64aa9494155a037b3d728
	https://git.kernel.org/stable/c/b8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2
	https://git.kernel.org/stable/c/ded6e448028f0f91b6af35985afca01fa02a9089
	https://git.kernel.org/stable/c/b80e31baa43614e086a9d29dc1151932b1bd7fc5