cve/published/2024/CVE-2024-36938.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36938: bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue

 Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which
 syzbot reported [1].

 [1]
 BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue

 write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:
  sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]
  sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843
  sk_psock_put include/linux/skmsg.h:459 [inline]
  sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648
  unix_release+0x4b/0x80 net/unix/af_unix.c:1048
  __sock_release net/socket.c:659 [inline]
  sock_close+0x68/0x150 net/socket.c:1421
  __fput+0x2c1/0x660 fs/file_table.c:422
  __fput_sync+0x44/0x60 fs/file_table.c:507
  __do_sys_close fs/open.c:1556 [inline]
  __se_sys_close+0x101/0x1b0 fs/open.c:1541
  __x64_sys_close+0x1f/0x30 fs/open.c:1541
  do_syscall_64+0xd3/0x1d0
  entry_SYSCALL_64_after_hwframe+0x6d/0x75

 read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:
  sk_psock_data_ready include/linux/skmsg.h:464 [inline]
  sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555
  sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606
  sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]
  sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202
  unix_read_skb net/unix/af_unix.c:2546 [inline]
  unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682
  sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223
  unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0x140/0x180 net/socket.c:745
  ____sys_sendmsg+0x312/0x410 net/socket.c:2584
  ___sys_sendmsg net/socket.c:2638 [inline]
  __sys_sendmsg+0x1e9/0x280 net/socket.c:2667
  __do_sys_sendmsg net/socket.c:2676 [inline]
  __se_sys_sendmsg net/socket.c:2674 [inline]
  __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674
  do_syscall_64+0xd3/0x1d0
  entry_SYSCALL_64_after_hwframe+0x6d/0x75

 value changed: 0xffffffff83d7feb0 -> 0x0000000000000000

 Reported by Kernel Concurrency Sanitizer on:
 CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G        W          6.8.0-syzkaller-08951-gfe46a7dd189e #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024

 Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer
 dereference in sk_psock_verdict_data_ready()") fixed one NULL pointer
 similarly due to no protection of saved_data_ready. Here is another
 different caller causing the same issue because of the same reason. So
 we should protect it with sk_callback_lock read lock because the writer
 side in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);".

 To avoid errors that could happen in future, I move those two pairs of
 lock into the sk_psock_data_ready(), which is suggested by John Fastabend.

 The Linux kernel CVE team has assigned CVE-2024-36938 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.10.223 with commit c0809c128dad4c3413818384eb06a341633db973
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.15.159 with commit 5965bc7535fb87510b724e5465ccc1a1cf00916d
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.1.91 with commit 39dc9e1442385d6e9be0b6491ee488dddd55ae27
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.6.31 with commit b397a0ab8582c533ec0c6b732392f141fc364f87
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.8.10 with commit 772d5729b5ff0df0d37b32db600ce635b2172f80
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.9 with commit 6648e613226e18897231ab5e42ffc29e63fa3365

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36938
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/linux/skmsg.h
 	net/core/skmsg.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c0809c128dad4c3413818384eb06a341633db973
 	https://git.kernel.org/stable/c/5965bc7535fb87510b724e5465ccc1a1cf00916d
 	https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27
 	https://git.kernel.org/stable/c/b397a0ab8582c533ec0c6b732392f141fc364f87
 	https://git.kernel.org/stable/c/772d5729b5ff0df0d37b32db600ce635b2172f80
 	https://git.kernel.org/stable/c/6648e613226e18897231ab5e42ffc29e63fa3365
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36938: bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue

	Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which
	syzbot reported [1].

	[1]
	BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue

	write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:
	sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]
	sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843
	sk_psock_put include/linux/skmsg.h:459 [inline]
	sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648
	unix_release+0x4b/0x80 net/unix/af_unix.c:1048
	__sock_release net/socket.c:659 [inline]
	sock_close+0x68/0x150 net/socket.c:1421
	__fput+0x2c1/0x660 fs/file_table.c:422
	__fput_sync+0x44/0x60 fs/file_table.c:507
	__do_sys_close fs/open.c:1556 [inline]
	__se_sys_close+0x101/0x1b0 fs/open.c:1541
	__x64_sys_close+0x1f/0x30 fs/open.c:1541
	do_syscall_64+0xd3/0x1d0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75

	read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:
	sk_psock_data_ready include/linux/skmsg.h:464 [inline]
	sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555
	sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606
	sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]
	sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202
	unix_read_skb net/unix/af_unix.c:2546 [inline]
	unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682
	sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223
	unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x140/0x180 net/socket.c:745
	____sys_sendmsg+0x312/0x410 net/socket.c:2584
	___sys_sendmsg net/socket.c:2638 [inline]
	__sys_sendmsg+0x1e9/0x280 net/socket.c:2667
	__do_sys_sendmsg net/socket.c:2676 [inline]
	__se_sys_sendmsg net/socket.c:2674 [inline]
	__x64_sys_sendmsg+0x46/0x50 net/socket.c:2674
	do_syscall_64+0xd3/0x1d0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75

	value changed: 0xffffffff83d7feb0 -> 0x0000000000000000

	Reported by Kernel Concurrency Sanitizer on:
	CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024

	Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer
	dereference in sk_psock_verdict_data_ready()") fixed one NULL pointer
	similarly due to no protection of saved_data_ready. Here is another
	different caller causing the same issue because of the same reason. So
	we should protect it with sk_callback_lock read lock because the writer
	side in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);".

	To avoid errors that could happen in future, I move those two pairs of
	lock into the sk_psock_data_ready(), which is suggested by John Fastabend.

	The Linux kernel CVE team has assigned CVE-2024-36938 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.10.223 with commit c0809c128dad4c3413818384eb06a341633db973
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.15.159 with commit 5965bc7535fb87510b724e5465ccc1a1cf00916d
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.1.91 with commit 39dc9e1442385d6e9be0b6491ee488dddd55ae27
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.6.31 with commit b397a0ab8582c533ec0c6b732392f141fc364f87
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.8.10 with commit 772d5729b5ff0df0d37b32db600ce635b2172f80
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.9 with commit 6648e613226e18897231ab5e42ffc29e63fa3365

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36938
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/linux/skmsg.h
	net/core/skmsg.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c0809c128dad4c3413818384eb06a341633db973
	https://git.kernel.org/stable/c/5965bc7535fb87510b724e5465ccc1a1cf00916d
	https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27
	https://git.kernel.org/stable/c/b397a0ab8582c533ec0c6b732392f141fc364f87
	https://git.kernel.org/stable/c/772d5729b5ff0df0d37b32db600ce635b2172f80
	https://git.kernel.org/stable/c/6648e613226e18897231ab5e42ffc29e63fa3365