cve/published/2023/CVE-2023-53088.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-53088: mptcp: fix UaF in listener shutdown

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mptcp: fix UaF in listener shutdown

 As reported by Christoph after having refactored the passive
 socket initialization, the mptcp listener shutdown path is prone
 to an UaF issue.

   BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x73/0xe0
   Write of size 4 at addr ffff88810cb23098 by task syz-executor731/1266

   CPU: 1 PID: 1266 Comm: syz-executor731 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6
   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
   Call Trace:
    <TASK>
    dump_stack_lvl+0x6e/0x91
    print_report+0x16a/0x46f
    kasan_report+0xad/0x130
    kasan_check_range+0x14a/0x1a0
    _raw_spin_lock_bh+0x73/0xe0
    subflow_error_report+0x6d/0x110
    sk_error_report+0x3b/0x190
    tcp_disconnect+0x138c/0x1aa0
    inet_child_forget+0x6f/0x2e0
    inet_csk_listen_stop+0x209/0x1060
    __mptcp_close_ssk+0x52d/0x610
    mptcp_destroy_common+0x165/0x640
    mptcp_destroy+0x13/0x80
    __mptcp_destroy_sock+0xe7/0x270
    __mptcp_close+0x70e/0x9b0
    mptcp_close+0x2b/0x150
    inet_release+0xe9/0x1f0
    __sock_release+0xd2/0x280
    sock_close+0x15/0x20
    __fput+0x252/0xa20
    task_work_run+0x169/0x250
    exit_to_user_mode_prepare+0x113/0x120
    syscall_exit_to_user_mode+0x1d/0x40
    do_syscall_64+0x48/0x90
    entry_SYSCALL_64_after_hwframe+0x72/0xdc

 The msk grace period can legitly expire in between the last
 reference count dropped in mptcp_subflow_queue_clean() and
 the later eventual access in inet_csk_listen_stop()

 After the previous patch we don't need anymore special-casing
 msk listener socket cleanup: the mptcp worker will process each
 of the unaccepted msk sockets.

 Just drop the now unnecessary code.

 Please note this commit depends on the two parent ones:

   mptcp: refactor passive socket initialization
   mptcp: use the workqueue to destroy unaccepted sockets

 The Linux kernel CVE team has assigned CVE-2023-53088 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.19 with commit 6aeed9045071f2252ff4e98fc13d1e304f33e5b0 and fixed in 6.1.22 with commit 5564be74a22a61855f8b8c100d8c4abb003bb792
 	Issue introduced in 5.19 with commit 6aeed9045071f2252ff4e98fc13d1e304f33e5b0 and fixed in 6.2.8 with commit 0f4f4cf5d32f10543deb946a37111e714579511e
 	Issue introduced in 5.19 with commit 6aeed9045071f2252ff4e98fc13d1e304f33e5b0 and fixed in 6.3 with commit 0a3f4f1f9c27215e4ddcd312558342e57b93e518
 	Issue introduced in 5.18.10 with commit a8a3e95c74e48c2c9b07b81fafda9122993f2e12

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-53088
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mptcp/protocol.c
 	net/mptcp/protocol.h
 	net/mptcp/subflow.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5564be74a22a61855f8b8c100d8c4abb003bb792
 	https://git.kernel.org/stable/c/0f4f4cf5d32f10543deb946a37111e714579511e
 	https://git.kernel.org/stable/c/0a3f4f1f9c27215e4ddcd312558342e57b93e518
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-53088: mptcp: fix UaF in listener shutdown

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mptcp: fix UaF in listener shutdown

	As reported by Christoph after having refactored the passive
	socket initialization, the mptcp listener shutdown path is prone
	to an UaF issue.

	BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x73/0xe0
	Write of size 4 at addr ffff88810cb23098 by task syz-executor731/1266

	CPU: 1 PID: 1266 Comm: syz-executor731 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
	Call Trace:
	<TASK>
	dump_stack_lvl+0x6e/0x91
	print_report+0x16a/0x46f
	kasan_report+0xad/0x130
	kasan_check_range+0x14a/0x1a0
	_raw_spin_lock_bh+0x73/0xe0
	subflow_error_report+0x6d/0x110
	sk_error_report+0x3b/0x190
	tcp_disconnect+0x138c/0x1aa0
	inet_child_forget+0x6f/0x2e0
	inet_csk_listen_stop+0x209/0x1060
	__mptcp_close_ssk+0x52d/0x610
	mptcp_destroy_common+0x165/0x640
	mptcp_destroy+0x13/0x80
	__mptcp_destroy_sock+0xe7/0x270
	__mptcp_close+0x70e/0x9b0
	mptcp_close+0x2b/0x150
	inet_release+0xe9/0x1f0
	__sock_release+0xd2/0x280
	sock_close+0x15/0x20
	__fput+0x252/0xa20
	task_work_run+0x169/0x250
	exit_to_user_mode_prepare+0x113/0x120
	syscall_exit_to_user_mode+0x1d/0x40
	do_syscall_64+0x48/0x90
	entry_SYSCALL_64_after_hwframe+0x72/0xdc

	The msk grace period can legitly expire in between the last
	reference count dropped in mptcp_subflow_queue_clean() and
	the later eventual access in inet_csk_listen_stop()

	After the previous patch we don't need anymore special-casing
	msk listener socket cleanup: the mptcp worker will process each
	of the unaccepted msk sockets.

	Just drop the now unnecessary code.

	Please note this commit depends on the two parent ones:

	mptcp: refactor passive socket initialization
	mptcp: use the workqueue to destroy unaccepted sockets

	The Linux kernel CVE team has assigned CVE-2023-53088 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.19 with commit 6aeed9045071f2252ff4e98fc13d1e304f33e5b0 and fixed in 6.1.22 with commit 5564be74a22a61855f8b8c100d8c4abb003bb792
	Issue introduced in 5.19 with commit 6aeed9045071f2252ff4e98fc13d1e304f33e5b0 and fixed in 6.2.8 with commit 0f4f4cf5d32f10543deb946a37111e714579511e
	Issue introduced in 5.19 with commit 6aeed9045071f2252ff4e98fc13d1e304f33e5b0 and fixed in 6.3 with commit 0a3f4f1f9c27215e4ddcd312558342e57b93e518
	Issue introduced in 5.18.10 with commit a8a3e95c74e48c2c9b07b81fafda9122993f2e12

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53088
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mptcp/protocol.c
	net/mptcp/protocol.h
	net/mptcp/subflow.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5564be74a22a61855f8b8c100d8c4abb003bb792
	https://git.kernel.org/stable/c/0f4f4cf5d32f10543deb946a37111e714579511e
	https://git.kernel.org/stable/c/0a3f4f1f9c27215e4ddcd312558342e57b93e518