cve/published/2024/CVE-2024-47659.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47659: smack: tcp: ipv4, fix incorrect labeling

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 smack: tcp: ipv4, fix incorrect labeling

 Currently, Smack mirrors the label of incoming tcp/ipv4 connections:
 when a label 'foo' connects to a label 'bar' with tcp/ipv4,
 'foo' always gets 'foo' in returned ipv4 packets. So,
 1) returned packets are incorrectly labeled ('foo' instead of 'bar')
 2) 'bar' can write to 'foo' without being authorized to write.

 Here is a scenario how to see this:

 * Take two machines, let's call them C and S,
    with active Smack in the default state
    (no settings, no rules, no labeled hosts, only builtin labels)

 * At S, add Smack rule 'foo bar w'
    (labels 'foo' and 'bar' are instantiated at S at this moment)

 * At S, at label 'bar', launch a program
    that listens for incoming tcp/ipv4 connections

 * From C, at label 'foo', connect to the listener at S.
    (label 'foo' is instantiated at C at this moment)
    Connection succeedes and works.

 * Send some data in both directions.
 * Collect network traffic of this connection.

 All packets in both directions are labeled with the CIPSO
 of the label 'foo'. Hence, label 'bar' writes to 'foo' without
 being authorized, and even without ever being known at C.

 If anybody cares: exactly the same happens with DCCP.

 This behavior 1st manifested in release 2.6.29.4 (see Fixes below)
 and it looks unintentional. At least, no explanation was provided.

 I changed returned packes label into the 'bar',
 to bring it into line with the Smack documentation claims.

 The Linux kernel CVE team has assigned CVE-2024-47659 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.322 with commit d3f56c653c65f170b172d3c23120bc64ada645d8
 	Fixed in 5.4.284 with commit 5b4b304f196c070342e32a4752e1fa2e22fc0671
 	Fixed in 5.10.226 with commit a948ec993541db4ef392b555c37a1186f4d61670
 	Fixed in 5.15.167 with commit 0aea09e82eafa50a373fc8a4b84c1d4734751e2c
 	Fixed in 6.1.109 with commit 0776bcf9cb6de46fdd94d10118de1cf9b05f83b9
 	Fixed in 6.6.50 with commit 4be9fd15c3c88775bdf6fa37acabe6de85beebff
 	Fixed in 6.10.9 with commit d3703fa94116fed91f64c7d1c7d284fb4369070f
 	Fixed in 6.11 with commit 2fe209d0ad2e2729f7e22b9b31a86cc3ff0db550

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47659
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	security/smack/smack_lsm.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d3f56c653c65f170b172d3c23120bc64ada645d8
 	https://git.kernel.org/stable/c/5b4b304f196c070342e32a4752e1fa2e22fc0671
 	https://git.kernel.org/stable/c/a948ec993541db4ef392b555c37a1186f4d61670
 	https://git.kernel.org/stable/c/0aea09e82eafa50a373fc8a4b84c1d4734751e2c
 	https://git.kernel.org/stable/c/0776bcf9cb6de46fdd94d10118de1cf9b05f83b9
 	https://git.kernel.org/stable/c/4be9fd15c3c88775bdf6fa37acabe6de85beebff
 	https://git.kernel.org/stable/c/d3703fa94116fed91f64c7d1c7d284fb4369070f
 	https://git.kernel.org/stable/c/2fe209d0ad2e2729f7e22b9b31a86cc3ff0db550
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47659: smack: tcp: ipv4, fix incorrect labeling

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	smack: tcp: ipv4, fix incorrect labeling

	Currently, Smack mirrors the label of incoming tcp/ipv4 connections:
	when a label 'foo' connects to a label 'bar' with tcp/ipv4,
	'foo' always gets 'foo' in returned ipv4 packets. So,
	1) returned packets are incorrectly labeled ('foo' instead of 'bar')
	2) 'bar' can write to 'foo' without being authorized to write.

	Here is a scenario how to see this:

	* Take two machines, let's call them C and S,
	with active Smack in the default state
	(no settings, no rules, no labeled hosts, only builtin labels)

	* At S, add Smack rule 'foo bar w'
	(labels 'foo' and 'bar' are instantiated at S at this moment)

	* At S, at label 'bar', launch a program
	that listens for incoming tcp/ipv4 connections

	* From C, at label 'foo', connect to the listener at S.
	(label 'foo' is instantiated at C at this moment)
	Connection succeedes and works.

	* Send some data in both directions.
	* Collect network traffic of this connection.

	All packets in both directions are labeled with the CIPSO
	of the label 'foo'. Hence, label 'bar' writes to 'foo' without
	being authorized, and even without ever being known at C.

	If anybody cares: exactly the same happens with DCCP.

	This behavior 1st manifested in release 2.6.29.4 (see Fixes below)
	and it looks unintentional. At least, no explanation was provided.

	I changed returned packes label into the 'bar',
	to bring it into line with the Smack documentation claims.

	The Linux kernel CVE team has assigned CVE-2024-47659 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.322 with commit d3f56c653c65f170b172d3c23120bc64ada645d8
	Fixed in 5.4.284 with commit 5b4b304f196c070342e32a4752e1fa2e22fc0671
	Fixed in 5.10.226 with commit a948ec993541db4ef392b555c37a1186f4d61670
	Fixed in 5.15.167 with commit 0aea09e82eafa50a373fc8a4b84c1d4734751e2c
	Fixed in 6.1.109 with commit 0776bcf9cb6de46fdd94d10118de1cf9b05f83b9
	Fixed in 6.6.50 with commit 4be9fd15c3c88775bdf6fa37acabe6de85beebff
	Fixed in 6.10.9 with commit d3703fa94116fed91f64c7d1c7d284fb4369070f
	Fixed in 6.11 with commit 2fe209d0ad2e2729f7e22b9b31a86cc3ff0db550

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47659
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	security/smack/smack_lsm.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d3f56c653c65f170b172d3c23120bc64ada645d8
	https://git.kernel.org/stable/c/5b4b304f196c070342e32a4752e1fa2e22fc0671
	https://git.kernel.org/stable/c/a948ec993541db4ef392b555c37a1186f4d61670
	https://git.kernel.org/stable/c/0aea09e82eafa50a373fc8a4b84c1d4734751e2c
	https://git.kernel.org/stable/c/0776bcf9cb6de46fdd94d10118de1cf9b05f83b9
	https://git.kernel.org/stable/c/4be9fd15c3c88775bdf6fa37acabe6de85beebff
	https://git.kernel.org/stable/c/d3703fa94116fed91f64c7d1c7d284fb4369070f
	https://git.kernel.org/stable/c/2fe209d0ad2e2729f7e22b9b31a86cc3ff0db550