cve/published/2023/CVE-2023-52778.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52778: mptcp: deal with large GSO size

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mptcp: deal with large GSO size

 After the blamed commit below, the TCP sockets (and the MPTCP subflows)
 can build egress packets larger than 64K. That exceeds the maximum DSS
 data size, the length being misrepresent on the wire and the stream being
 corrupted, as later observed on the receiver:

   WARNING: CPU: 0 PID: 9696 at net/mptcp/protocol.c:705 __mptcp_move_skbs_from_subflow+0x2604/0x26e0
   CPU: 0 PID: 9696 Comm: syz-executor.7 Not tainted 6.6.0-rc5-gcd8bdf563d46 #45
   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
   netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.
   RIP: 0010:__mptcp_move_skbs_from_subflow+0x2604/0x26e0 net/mptcp/protocol.c:705
   RSP: 0018:ffffc90000006e80 EFLAGS: 00010246
   RAX: ffffffff83e9f674 RBX: ffff88802f45d870 RCX: ffff888102ad0000
   netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.
   RDX: 0000000080000303 RSI: 0000000000013908 RDI: 0000000000003908
   RBP: ffffc90000007110 R08: ffffffff83e9e078 R09: 1ffff1100e548c8a
   R10: dffffc0000000000 R11: ffffed100e548c8b R12: 0000000000013908
   R13: dffffc0000000000 R14: 0000000000003908 R15: 000000000031cf29
   FS:  00007f239c47e700(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 00007f239c45cd78 CR3: 000000006a66c006 CR4: 0000000000770ef0
   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
   PKRU: 55555554
   Call Trace:
    <IRQ>
    mptcp_data_ready+0x263/0xac0 net/mptcp/protocol.c:819
    subflow_data_ready+0x268/0x6d0 net/mptcp/subflow.c:1409
    tcp_data_queue+0x21a1/0x7a60 net/ipv4/tcp_input.c:5151
    tcp_rcv_established+0x950/0x1d90 net/ipv4/tcp_input.c:6098
    tcp_v6_do_rcv+0x554/0x12f0 net/ipv6/tcp_ipv6.c:1483
    tcp_v6_rcv+0x2e26/0x3810 net/ipv6/tcp_ipv6.c:1749
    ip6_protocol_deliver_rcu+0xd6b/0x1ae0 net/ipv6/ip6_input.c:438
    ip6_input+0x1c5/0x470 net/ipv6/ip6_input.c:483
    ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:304
    __netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5532
    process_backlog+0x353/0x660 net/core/dev.c:5974
    __napi_poll+0xc6/0x5a0 net/core/dev.c:6536
    net_rx_action+0x6a0/0xfd0 net/core/dev.c:6603
    __do_softirq+0x184/0x524 kernel/softirq.c:553
    do_softirq+0xdd/0x130 kernel/softirq.c:454

 Address the issue explicitly bounding the maximum GSO size to what MPTCP
 actually allows.

 The Linux kernel CVE team has assigned CVE-2023-52778 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.19 with commit 7c4e983c4f3cf94fcd879730c6caa877e0768a4d and fixed in 6.1.64 with commit 70ff9b65a72885b3a2dfde6709da1f19b85fa696
 	Issue introduced in 5.19 with commit 7c4e983c4f3cf94fcd879730c6caa877e0768a4d and fixed in 6.5.13 with commit 342b528c0e849bed9def76dadaa470d3af678e94
 	Issue introduced in 5.19 with commit 7c4e983c4f3cf94fcd879730c6caa877e0768a4d and fixed in 6.6.3 with commit 57ced2eb77343a91d28f4a73675b05fe7b555def
 	Issue introduced in 5.19 with commit 7c4e983c4f3cf94fcd879730c6caa877e0768a4d and fixed in 6.7 with commit 9fce92f050f448a0d1ddd9083ef967d9930f1e52

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52778
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mptcp/protocol.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/70ff9b65a72885b3a2dfde6709da1f19b85fa696
 	https://git.kernel.org/stable/c/342b528c0e849bed9def76dadaa470d3af678e94
 	https://git.kernel.org/stable/c/57ced2eb77343a91d28f4a73675b05fe7b555def
 	https://git.kernel.org/stable/c/9fce92f050f448a0d1ddd9083ef967d9930f1e52
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52778: mptcp: deal with large GSO size

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mptcp: deal with large GSO size

	After the blamed commit below, the TCP sockets (and the MPTCP subflows)
	can build egress packets larger than 64K. That exceeds the maximum DSS
	data size, the length being misrepresent on the wire and the stream being
	corrupted, as later observed on the receiver:

	WARNING: CPU: 0 PID: 9696 at net/mptcp/protocol.c:705 __mptcp_move_skbs_from_subflow+0x2604/0x26e0
	CPU: 0 PID: 9696 Comm: syz-executor.7 Not tainted 6.6.0-rc5-gcd8bdf563d46 #45
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
	netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.
	RIP: 0010:__mptcp_move_skbs_from_subflow+0x2604/0x26e0 net/mptcp/protocol.c:705
	RSP: 0018:ffffc90000006e80 EFLAGS: 00010246
	RAX: ffffffff83e9f674 RBX: ffff88802f45d870 RCX: ffff888102ad0000
	netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.
	RDX: 0000000080000303 RSI: 0000000000013908 RDI: 0000000000003908
	RBP: ffffc90000007110 R08: ffffffff83e9e078 R09: 1ffff1100e548c8a
	R10: dffffc0000000000 R11: ffffed100e548c8b R12: 0000000000013908
	R13: dffffc0000000000 R14: 0000000000003908 R15: 000000000031cf29
	FS: 00007f239c47e700(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f239c45cd78 CR3: 000000006a66c006 CR4: 0000000000770ef0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
	PKRU: 55555554
	Call Trace:
	<IRQ>
	mptcp_data_ready+0x263/0xac0 net/mptcp/protocol.c:819
	subflow_data_ready+0x268/0x6d0 net/mptcp/subflow.c:1409
	tcp_data_queue+0x21a1/0x7a60 net/ipv4/tcp_input.c:5151
	tcp_rcv_established+0x950/0x1d90 net/ipv4/tcp_input.c:6098
	tcp_v6_do_rcv+0x554/0x12f0 net/ipv6/tcp_ipv6.c:1483
	tcp_v6_rcv+0x2e26/0x3810 net/ipv6/tcp_ipv6.c:1749
	ip6_protocol_deliver_rcu+0xd6b/0x1ae0 net/ipv6/ip6_input.c:438
	ip6_input+0x1c5/0x470 net/ipv6/ip6_input.c:483
	ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:304
	__netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5532
	process_backlog+0x353/0x660 net/core/dev.c:5974
	__napi_poll+0xc6/0x5a0 net/core/dev.c:6536
	net_rx_action+0x6a0/0xfd0 net/core/dev.c:6603
	__do_softirq+0x184/0x524 kernel/softirq.c:553
	do_softirq+0xdd/0x130 kernel/softirq.c:454

	Address the issue explicitly bounding the maximum GSO size to what MPTCP
	actually allows.

	The Linux kernel CVE team has assigned CVE-2023-52778 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.19 with commit 7c4e983c4f3cf94fcd879730c6caa877e0768a4d and fixed in 6.1.64 with commit 70ff9b65a72885b3a2dfde6709da1f19b85fa696
	Issue introduced in 5.19 with commit 7c4e983c4f3cf94fcd879730c6caa877e0768a4d and fixed in 6.5.13 with commit 342b528c0e849bed9def76dadaa470d3af678e94
	Issue introduced in 5.19 with commit 7c4e983c4f3cf94fcd879730c6caa877e0768a4d and fixed in 6.6.3 with commit 57ced2eb77343a91d28f4a73675b05fe7b555def
	Issue introduced in 5.19 with commit 7c4e983c4f3cf94fcd879730c6caa877e0768a4d and fixed in 6.7 with commit 9fce92f050f448a0d1ddd9083ef967d9930f1e52

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52778
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mptcp/protocol.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/70ff9b65a72885b3a2dfde6709da1f19b85fa696
	https://git.kernel.org/stable/c/342b528c0e849bed9def76dadaa470d3af678e94
	https://git.kernel.org/stable/c/57ced2eb77343a91d28f4a73675b05fe7b555def
	https://git.kernel.org/stable/c/9fce92f050f448a0d1ddd9083ef967d9930f1e52