cve/published/2023/CVE-2023-52775.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52775: net/smc: avoid data corruption caused by decline

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/smc: avoid data corruption caused by decline

 We found a data corruption issue during testing of SMC-R on Redis
 applications.

 The benchmark has a low probability of reporting a strange error as
 shown below.

 "Error: Protocol error, got "\xe2" as reply type byte"

 Finally, we found that the retrieved error data was as follows:

 0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C
 0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00
 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2

 It is quite obvious that this is a SMC DECLINE message, which means that
 the applications received SMC protocol message.
 We found that this was caused by the following situations:

 client                  server
         ¦  clc proposal
         ------------->
         ¦  clc accept
         <-------------
         ¦  clc confirm
         ------------->
 wait llc confirm
 			send llc confirm
         ¦failed llc confirm
         ¦   x------
 (after 2s)timeout
                         wait llc confirm rsp

 wait decline

 (after 1s) timeout
                         (after 2s) timeout
         ¦   decline
         -------------->
         ¦   decline
         <--------------

 As a result, a decline message was sent in the implementation, and this
 message was read from TCP by the already-fallback connection.

 This patch double the client timeout as 2x of the server value,
 With this simple change, the Decline messages should never cross or
 collide (during Confirm link timeout).

 This issue requires an immediate solution, since the protocol updates
 involve a more long-term solution.

 The Linux kernel CVE team has assigned CVE-2023-52775 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.8 with commit 0fb0b02bd6fd26cba38002be4a6bbcae2228fd44 and fixed in 5.10.203 with commit 5ada292b5c504720a0acef8cae9acc62a694d19c
 	Issue introduced in 5.8 with commit 0fb0b02bd6fd26cba38002be4a6bbcae2228fd44 and fixed in 5.15.141 with commit 90072af9efe8c7bd7d086709014ddd44cebd5e7c
 	Issue introduced in 5.8 with commit 0fb0b02bd6fd26cba38002be4a6bbcae2228fd44 and fixed in 6.1.65 with commit 94a0ae698b4d5d5bb598e23228002a1491c50add
 	Issue introduced in 5.8 with commit 0fb0b02bd6fd26cba38002be4a6bbcae2228fd44 and fixed in 6.6.4 with commit 7234d2b5dffa5af77fd4e0deaebab509e130c6b1
 	Issue introduced in 5.8 with commit 0fb0b02bd6fd26cba38002be4a6bbcae2228fd44 and fixed in 6.7 with commit e6d71b437abc2f249e3b6a1ae1a7228e09c6e563

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52775
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/smc/af_smc.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5ada292b5c504720a0acef8cae9acc62a694d19c
 	https://git.kernel.org/stable/c/90072af9efe8c7bd7d086709014ddd44cebd5e7c
 	https://git.kernel.org/stable/c/94a0ae698b4d5d5bb598e23228002a1491c50add
 	https://git.kernel.org/stable/c/7234d2b5dffa5af77fd4e0deaebab509e130c6b1
 	https://git.kernel.org/stable/c/e6d71b437abc2f249e3b6a1ae1a7228e09c6e563
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52775: net/smc: avoid data corruption caused by decline

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/smc: avoid data corruption caused by decline

	We found a data corruption issue during testing of SMC-R on Redis
	applications.

	The benchmark has a low probability of reporting a strange error as
	shown below.

	"Error: Protocol error, got "\xe2" as reply type byte"

	Finally, we found that the retrieved error data was as follows:

	0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C
	0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00
	0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2

	It is quite obvious that this is a SMC DECLINE message, which means that
	the applications received SMC protocol message.
	We found that this was caused by the following situations:

	client server
	¦ clc proposal
	------------->
	¦ clc accept
	<-------------
	¦ clc confirm
	------------->
	wait llc confirm
	send llc confirm
	¦failed llc confirm
	¦ x------
	(after 2s)timeout
	wait llc confirm rsp

	wait decline

	(after 1s) timeout
	(after 2s) timeout
	¦ decline
	-------------->
	¦ decline
	<--------------

	As a result, a decline message was sent in the implementation, and this
	message was read from TCP by the already-fallback connection.

	This patch double the client timeout as 2x of the server value,
	With this simple change, the Decline messages should never cross or
	collide (during Confirm link timeout).

	This issue requires an immediate solution, since the protocol updates
	involve a more long-term solution.

	The Linux kernel CVE team has assigned CVE-2023-52775 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.8 with commit 0fb0b02bd6fd26cba38002be4a6bbcae2228fd44 and fixed in 5.10.203 with commit 5ada292b5c504720a0acef8cae9acc62a694d19c
	Issue introduced in 5.8 with commit 0fb0b02bd6fd26cba38002be4a6bbcae2228fd44 and fixed in 5.15.141 with commit 90072af9efe8c7bd7d086709014ddd44cebd5e7c
	Issue introduced in 5.8 with commit 0fb0b02bd6fd26cba38002be4a6bbcae2228fd44 and fixed in 6.1.65 with commit 94a0ae698b4d5d5bb598e23228002a1491c50add
	Issue introduced in 5.8 with commit 0fb0b02bd6fd26cba38002be4a6bbcae2228fd44 and fixed in 6.6.4 with commit 7234d2b5dffa5af77fd4e0deaebab509e130c6b1
	Issue introduced in 5.8 with commit 0fb0b02bd6fd26cba38002be4a6bbcae2228fd44 and fixed in 6.7 with commit e6d71b437abc2f249e3b6a1ae1a7228e09c6e563

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52775
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/smc/af_smc.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5ada292b5c504720a0acef8cae9acc62a694d19c
	https://git.kernel.org/stable/c/90072af9efe8c7bd7d086709014ddd44cebd5e7c
	https://git.kernel.org/stable/c/94a0ae698b4d5d5bb598e23228002a1491c50add
	https://git.kernel.org/stable/c/7234d2b5dffa5af77fd4e0deaebab509e130c6b1
	https://git.kernel.org/stable/c/e6d71b437abc2f249e3b6a1ae1a7228e09c6e563