cve/published/2023/CVE-2023-52637.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52637: can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)

 Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)
 modifies jsk->filters while receiving packets.

 Following trace was seen on affected system:
  ==================================================================
  BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
  Read of size 4 at addr ffff888012144014 by task j1939/350

  CPU: 0 PID: 350 Comm: j1939 Tainted: G        W  OE      6.5.0-rc5 #1
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
  Call Trace:
   print_report+0xd3/0x620
   ? kasan_complete_mode_report_info+0x7d/0x200
   ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
   kasan_report+0xc2/0x100
   ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
   __asan_load4+0x84/0xb0
   j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
   j1939_sk_recv+0x20b/0x320 [can_j1939]
   ? __kasan_check_write+0x18/0x20
   ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]
   ? j1939_simple_recv+0x69/0x280 [can_j1939]
   ? j1939_ac_recv+0x5e/0x310 [can_j1939]
   j1939_can_recv+0x43f/0x580 [can_j1939]
   ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
   ? raw_rcv+0x42/0x3c0 [can_raw]
   ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
   can_rcv_filter+0x11f/0x350 [can]
   can_receive+0x12f/0x190 [can]
   ? __pfx_can_rcv+0x10/0x10 [can]
   can_rcv+0xdd/0x130 [can]
   ? __pfx_can_rcv+0x10/0x10 [can]
   __netif_receive_skb_one_core+0x13d/0x150
   ? __pfx___netif_receive_skb_one_core+0x10/0x10
   ? __kasan_check_write+0x18/0x20
   ? _raw_spin_lock_irq+0x8c/0xe0
   __netif_receive_skb+0x23/0xb0
   process_backlog+0x107/0x260
   __napi_poll+0x69/0x310
   net_rx_action+0x2a1/0x580
   ? __pfx_net_rx_action+0x10/0x10
   ? __pfx__raw_spin_lock+0x10/0x10
   ? handle_irq_event+0x7d/0xa0
   __do_softirq+0xf3/0x3f8
   do_softirq+0x53/0x80
   </IRQ>
   <TASK>
   __local_bh_enable_ip+0x6e/0x70
   netif_rx+0x16b/0x180
   can_send+0x32b/0x520 [can]
   ? __pfx_can_send+0x10/0x10 [can]
   ? __check_object_size+0x299/0x410
   raw_sendmsg+0x572/0x6d0 [can_raw]
   ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
   ? apparmor_socket_sendmsg+0x2f/0x40
   ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
   sock_sendmsg+0xef/0x100
   sock_write_iter+0x162/0x220
   ? __pfx_sock_write_iter+0x10/0x10
   ? __rtnl_unlock+0x47/0x80
   ? security_file_permission+0x54/0x320
   vfs_write+0x6ba/0x750
   ? __pfx_vfs_write+0x10/0x10
   ? __fget_light+0x1ca/0x1f0
   ? __rcu_read_unlock+0x5b/0x280
   ksys_write+0x143/0x170
   ? __pfx_ksys_write+0x10/0x10
   ? __kasan_check_read+0x15/0x20
   ? fpregs_assert_state_consistent+0x62/0x70
   __x64_sys_write+0x47/0x60
   do_syscall_64+0x60/0x90
   ? do_syscall_64+0x6d/0x90
   ? irqentry_exit+0x3f/0x50
   ? exc_page_fault+0x79/0xf0
   entry_SYSCALL_64_after_hwframe+0x6e/0xd8

  Allocated by task 348:
   kasan_save_stack+0x2a/0x50
   kasan_set_track+0x29/0x40
   kasan_save_alloc_info+0x1f/0x30
   __kasan_kmalloc+0xb5/0xc0
   __kmalloc_node_track_caller+0x67/0x160
   j1939_sk_setsockopt+0x284/0x450 [can_j1939]
   __sys_setsockopt+0x15c/0x2f0
   __x64_sys_setsockopt+0x6b/0x80
   do_syscall_64+0x60/0x90
   entry_SYSCALL_64_after_hwframe+0x6e/0xd8

  Freed by task 349:
   kasan_save_stack+0x2a/0x50
   kasan_set_track+0x29/0x40
   kasan_save_free_info+0x2f/0x50
   __kasan_slab_free+0x12e/0x1c0
   __kmem_cache_free+0x1b9/0x380
   kfree+0x7a/0x120
   j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]
   __sys_setsockopt+0x15c/0x2f0
   __x64_sys_setsockopt+0x6b/0x80
   do_syscall_64+0x60/0x90
   entry_SYSCALL_64_after_hwframe+0x6e/0xd8

 The Linux kernel CVE team has assigned CVE-2023-52637 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 5.4.269 with commit 08de58abedf6e69396e1207e4f99ef8904b2b532
 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 5.10.210 with commit 978e50ef8c38dc71bd14d1b0143d554ff5d188ba
 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 5.15.149 with commit 41ccb5bcbf03f02d820bc6ea8390811859f558f8
 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.1.79 with commit 4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed
 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.6.18 with commit f84e7534457dcd7835be743517c35378bb4e7c50
 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.7.6 with commit fc74b9cb789cae061bbca7b203a3842e059f6b5d
 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.8 with commit efe7cf828039aedb297c1f9920b638fffee6aabc

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52637
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/can/j1939/j1939-priv.h
 	net/can/j1939/socket.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/08de58abedf6e69396e1207e4f99ef8904b2b532
 	https://git.kernel.org/stable/c/978e50ef8c38dc71bd14d1b0143d554ff5d188ba
 	https://git.kernel.org/stable/c/41ccb5bcbf03f02d820bc6ea8390811859f558f8
 	https://git.kernel.org/stable/c/4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed
 	https://git.kernel.org/stable/c/f84e7534457dcd7835be743517c35378bb4e7c50
 	https://git.kernel.org/stable/c/fc74b9cb789cae061bbca7b203a3842e059f6b5d
 	https://git.kernel.org/stable/c/efe7cf828039aedb297c1f9920b638fffee6aabc
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52637: can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)

	Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)
	modifies jsk->filters while receiving packets.

	Following trace was seen on affected system:
	==================================================================
	BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
	Read of size 4 at addr ffff888012144014 by task j1939/350

	CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
	Call Trace:
	print_report+0xd3/0x620
	? kasan_complete_mode_report_info+0x7d/0x200
	? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
	kasan_report+0xc2/0x100
	? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
	__asan_load4+0x84/0xb0
	j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
	j1939_sk_recv+0x20b/0x320 [can_j1939]
	? __kasan_check_write+0x18/0x20
	? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]
	? j1939_simple_recv+0x69/0x280 [can_j1939]
	? j1939_ac_recv+0x5e/0x310 [can_j1939]
	j1939_can_recv+0x43f/0x580 [can_j1939]
	? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
	? raw_rcv+0x42/0x3c0 [can_raw]
	? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
	can_rcv_filter+0x11f/0x350 [can]
	can_receive+0x12f/0x190 [can]
	? __pfx_can_rcv+0x10/0x10 [can]
	can_rcv+0xdd/0x130 [can]
	? __pfx_can_rcv+0x10/0x10 [can]
	__netif_receive_skb_one_core+0x13d/0x150
	? __pfx___netif_receive_skb_one_core+0x10/0x10
	? __kasan_check_write+0x18/0x20
	? _raw_spin_lock_irq+0x8c/0xe0
	__netif_receive_skb+0x23/0xb0
	process_backlog+0x107/0x260
	__napi_poll+0x69/0x310
	net_rx_action+0x2a1/0x580
	? __pfx_net_rx_action+0x10/0x10
	? __pfx__raw_spin_lock+0x10/0x10
	? handle_irq_event+0x7d/0xa0
	__do_softirq+0xf3/0x3f8
	do_softirq+0x53/0x80
	</IRQ>
	<TASK>
	__local_bh_enable_ip+0x6e/0x70
	netif_rx+0x16b/0x180
	can_send+0x32b/0x520 [can]
	? __pfx_can_send+0x10/0x10 [can]
	? __check_object_size+0x299/0x410
	raw_sendmsg+0x572/0x6d0 [can_raw]
	? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
	? apparmor_socket_sendmsg+0x2f/0x40
	? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
	sock_sendmsg+0xef/0x100
	sock_write_iter+0x162/0x220
	? __pfx_sock_write_iter+0x10/0x10
	? __rtnl_unlock+0x47/0x80
	? security_file_permission+0x54/0x320
	vfs_write+0x6ba/0x750
	? __pfx_vfs_write+0x10/0x10
	? __fget_light+0x1ca/0x1f0
	? __rcu_read_unlock+0x5b/0x280
	ksys_write+0x143/0x170
	? __pfx_ksys_write+0x10/0x10
	? __kasan_check_read+0x15/0x20
	? fpregs_assert_state_consistent+0x62/0x70
	__x64_sys_write+0x47/0x60
	do_syscall_64+0x60/0x90
	? do_syscall_64+0x6d/0x90
	? irqentry_exit+0x3f/0x50
	? exc_page_fault+0x79/0xf0
	entry_SYSCALL_64_after_hwframe+0x6e/0xd8

	Allocated by task 348:
	kasan_save_stack+0x2a/0x50
	kasan_set_track+0x29/0x40
	kasan_save_alloc_info+0x1f/0x30
	__kasan_kmalloc+0xb5/0xc0
	__kmalloc_node_track_caller+0x67/0x160
	j1939_sk_setsockopt+0x284/0x450 [can_j1939]
	__sys_setsockopt+0x15c/0x2f0
	__x64_sys_setsockopt+0x6b/0x80
	do_syscall_64+0x60/0x90
	entry_SYSCALL_64_after_hwframe+0x6e/0xd8

	Freed by task 349:
	kasan_save_stack+0x2a/0x50
	kasan_set_track+0x29/0x40
	kasan_save_free_info+0x2f/0x50
	__kasan_slab_free+0x12e/0x1c0
	__kmem_cache_free+0x1b9/0x380
	kfree+0x7a/0x120
	j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]
	__sys_setsockopt+0x15c/0x2f0
	__x64_sys_setsockopt+0x6b/0x80
	do_syscall_64+0x60/0x90
	entry_SYSCALL_64_after_hwframe+0x6e/0xd8

	The Linux kernel CVE team has assigned CVE-2023-52637 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 5.4.269 with commit 08de58abedf6e69396e1207e4f99ef8904b2b532
	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 5.10.210 with commit 978e50ef8c38dc71bd14d1b0143d554ff5d188ba
	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 5.15.149 with commit 41ccb5bcbf03f02d820bc6ea8390811859f558f8
	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.1.79 with commit 4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed
	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.6.18 with commit f84e7534457dcd7835be743517c35378bb4e7c50
	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.7.6 with commit fc74b9cb789cae061bbca7b203a3842e059f6b5d
	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.8 with commit efe7cf828039aedb297c1f9920b638fffee6aabc

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52637
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/can/j1939/j1939-priv.h
	net/can/j1939/socket.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/08de58abedf6e69396e1207e4f99ef8904b2b532
	https://git.kernel.org/stable/c/978e50ef8c38dc71bd14d1b0143d554ff5d188ba
	https://git.kernel.org/stable/c/41ccb5bcbf03f02d820bc6ea8390811859f558f8
	https://git.kernel.org/stable/c/4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed
	https://git.kernel.org/stable/c/f84e7534457dcd7835be743517c35378bb4e7c50
	https://git.kernel.org/stable/c/fc74b9cb789cae061bbca7b203a3842e059f6b5d
	https://git.kernel.org/stable/c/efe7cf828039aedb297c1f9920b638fffee6aabc