cve/published/2024/CVE-2024-36905.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36905: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

 TCP_SYN_RECV state is really special, it is only used by
 cross-syn connections, mostly used by fuzzers.

 In the following crash [1], syzbot managed to trigger a divide
 by zero in tcp_rcv_space_adjust()

 A socket makes the following state transitions,
 without ever calling tcp_init_transfer(),
 meaning tcp_init_buffer_space() is also not called.

          TCP_CLOSE
 connect()
          TCP_SYN_SENT
          TCP_SYN_RECV
 shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)
          TCP_FIN_WAIT1

 To fix this issue, change tcp_shutdown() to not
 perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,
 which makes no sense anyway.

 When tcp_rcv_state_process() later changes socket state
 from TCP_SYN_RECV to TCP_ESTABLISH, then look at
 sk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,
 and send a FIN packet from a sane socket state.

 This means tcp_send_fin() can now be called from BH
 context, and must use GFP_ATOMIC allocations.

 [1]
 divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
 CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
  RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767
 Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48
 RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246
 RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7
 R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30
 R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da
 FS:  00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0
 Call Trace:
  <TASK>
   tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513
   tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578
   inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680
   sock_recvmsg_nosec net/socket.c:1046 [inline]
   sock_recvmsg+0x109/0x280 net/socket.c:1068
   ____sys_recvmsg+0x1db/0x470 net/socket.c:2803
   ___sys_recvmsg net/socket.c:2845 [inline]
   do_recvmmsg+0x474/0xae0 net/socket.c:2939
   __sys_recvmmsg net/socket.c:3018 [inline]
   __do_sys_recvmmsg net/socket.c:3041 [inline]
   __se_sys_recvmmsg net/socket.c:3034 [inline]
   __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
 RIP: 0033:0x7faeb6363db9
 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
 RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9
 RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005
 RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c
 R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000
 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001

 The Linux kernel CVE team has assigned CVE-2024-36905 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 4.19.314 with commit 34e41a031fd7523bf1cd00a2adca2370aebea270
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.276 with commit ed5e279b69e007ce6c0fe82a5a534c1b19783214
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.217 with commit 413c33b9f3bc36fdf719690a78824db9f88a9485
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.159 with commit 2552c9d9440f8e7a2ed0660911ff00f25b90a0a4
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.91 with commit 3fe4ef0568a48369b1891395d13ac593b1ba41b1
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.31 with commit f47d0d32fa94e815fdd78b8b88684873e67939f4
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.8.10 with commit cbf232ba11bc86a5281b4f00e1151349ef4d45cf
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.9 with commit 94062790aedb505bdda209b10bea47b294d6394f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36905
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/tcp.c
 	net/ipv4/tcp_input.c
 	net/ipv4/tcp_output.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/34e41a031fd7523bf1cd00a2adca2370aebea270
 	https://git.kernel.org/stable/c/ed5e279b69e007ce6c0fe82a5a534c1b19783214
 	https://git.kernel.org/stable/c/413c33b9f3bc36fdf719690a78824db9f88a9485
 	https://git.kernel.org/stable/c/2552c9d9440f8e7a2ed0660911ff00f25b90a0a4
 	https://git.kernel.org/stable/c/3fe4ef0568a48369b1891395d13ac593b1ba41b1
 	https://git.kernel.org/stable/c/f47d0d32fa94e815fdd78b8b88684873e67939f4
 	https://git.kernel.org/stable/c/cbf232ba11bc86a5281b4f00e1151349ef4d45cf
 	https://git.kernel.org/stable/c/94062790aedb505bdda209b10bea47b294d6394f
 	https://www.openwall.com/lists/oss-security/2024/10/29/1
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36905: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

	TCP_SYN_RECV state is really special, it is only used by
	cross-syn connections, mostly used by fuzzers.

	In the following crash [1], syzbot managed to trigger a divide
	by zero in tcp_rcv_space_adjust()

	A socket makes the following state transitions,
	without ever calling tcp_init_transfer(),
	meaning tcp_init_buffer_space() is also not called.

	TCP_CLOSE
	connect()
	TCP_SYN_SENT
	TCP_SYN_RECV
	shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)
	TCP_FIN_WAIT1

	To fix this issue, change tcp_shutdown() to not
	perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,
	which makes no sense anyway.

	When tcp_rcv_state_process() later changes socket state
	from TCP_SYN_RECV to TCP_ESTABLISH, then look at
	sk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,
	and send a FIN packet from a sane socket state.

	This means tcp_send_fin() can now be called from BH
	context, and must use GFP_ATOMIC allocations.

	[1]
	divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
	CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
	RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767
	Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48
	RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246
	RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000
	RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
	RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7
	R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30
	R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da
	FS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0
	Call Trace:
	<TASK>
	tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513
	tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578
	inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680
	sock_recvmsg_nosec net/socket.c:1046 [inline]
	sock_recvmsg+0x109/0x280 net/socket.c:1068
	____sys_recvmsg+0x1db/0x470 net/socket.c:2803
	___sys_recvmsg net/socket.c:2845 [inline]
	do_recvmmsg+0x474/0xae0 net/socket.c:2939
	__sys_recvmmsg net/socket.c:3018 [inline]
	__do_sys_recvmmsg net/socket.c:3041 [inline]
	__se_sys_recvmmsg net/socket.c:3034 [inline]
	__x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0033:0x7faeb6363db9
	Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
	RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9
	RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005
	RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c
	R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000
	R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001

	The Linux kernel CVE team has assigned CVE-2024-36905 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 4.19.314 with commit 34e41a031fd7523bf1cd00a2adca2370aebea270
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.276 with commit ed5e279b69e007ce6c0fe82a5a534c1b19783214
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.217 with commit 413c33b9f3bc36fdf719690a78824db9f88a9485
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.159 with commit 2552c9d9440f8e7a2ed0660911ff00f25b90a0a4
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.91 with commit 3fe4ef0568a48369b1891395d13ac593b1ba41b1
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.31 with commit f47d0d32fa94e815fdd78b8b88684873e67939f4
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.8.10 with commit cbf232ba11bc86a5281b4f00e1151349ef4d45cf
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.9 with commit 94062790aedb505bdda209b10bea47b294d6394f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36905
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/tcp.c
	net/ipv4/tcp_input.c
	net/ipv4/tcp_output.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/34e41a031fd7523bf1cd00a2adca2370aebea270
	https://git.kernel.org/stable/c/ed5e279b69e007ce6c0fe82a5a534c1b19783214
	https://git.kernel.org/stable/c/413c33b9f3bc36fdf719690a78824db9f88a9485
	https://git.kernel.org/stable/c/2552c9d9440f8e7a2ed0660911ff00f25b90a0a4
	https://git.kernel.org/stable/c/3fe4ef0568a48369b1891395d13ac593b1ba41b1
	https://git.kernel.org/stable/c/f47d0d32fa94e815fdd78b8b88684873e67939f4
	https://git.kernel.org/stable/c/cbf232ba11bc86a5281b4f00e1151349ef4d45cf
	https://git.kernel.org/stable/c/94062790aedb505bdda209b10bea47b294d6394f
	https://www.openwall.com/lists/oss-security/2024/10/29/1