ghsa-6xc5-7hvv-v7jc
Vulnerability from github
Published
2024-05-21 15:31
Modified
2024-05-21 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

mptcp: ensure tx skbs always have the MPTCP ext

Due to signed/unsigned comparison, the expression:

info->size_goal - skb->len > 0

evaluates to true when the size goal is smaller than the skb size. That results in lack of tx cache refill, so that the skb allocated by the core TCP code lacks the required MPTCP skb extensions.

Due to the above, syzbot is able to trigger the following WARN_ON():

WARNING: CPU: 1 PID: 810 at net/mptcp/protocol.c:1366 mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366 Modules linked in: CPU: 1 PID: 810 Comm: syz-executor.4 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366 Code: ff 4c 8b 74 24 50 48 8b 5c 24 58 e9 0f fb ff ff e8 13 44 8b f8 4c 89 e7 45 31 ed e8 98 57 2e fe e9 81 f4 ff ff e8 fe 43 8b f8 <0f> 0b 41 bd ea ff ff ff e9 6f f4 ff ff 4c 89 e7 e8 b9 8e d2 f8 e9 RSP: 0018:ffffc9000531f6a0 EFLAGS: 00010216 RAX: 000000000000697f RBX: 0000000000000000 RCX: ffffc90012107000 RDX: 0000000000040000 RSI: ffffffff88eac9e2 RDI: 0000000000000003 RBP: ffff888078b15780 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff88eac017 R11: 0000000000000000 R12: ffff88801de0a280 R13: 0000000000006b58 R14: ffff888066278280 R15: ffff88803c2fe9c0 FS: 00007fd9f866e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007faebcb2f718 CR3: 00000000267cb000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __mptcp_push_pending+0x1fb/0x6b0 net/mptcp/protocol.c:1547 mptcp_release_cb+0xfe/0x210 net/mptcp/protocol.c:3003 release_sock+0xb4/0x1b0 net/core/sock.c:3206 sk_stream_wait_memory+0x604/0xed0 net/core/stream.c:145 mptcp_sendmsg+0xc39/0x1bc0 net/mptcp/protocol.c:1749 inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:643 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 sock_write_iter+0x2a0/0x3e0 net/socket.c:1057 call_write_iter include/linux/fs.h:2163 [inline] new_sync_write+0x40b/0x640 fs/read_write.c:507 vfs_write+0x7cf/0xae0 fs/read_write.c:594 ksys_write+0x1ee/0x250 fs/read_write.c:647 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd9f866e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665f9 RDX: 00000000000e7b78 RSI: 0000000020000000 RDI: 0000000000000003 RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038 R13: 0000000000a9fb1f R14: 00007fd9f866e300 R15: 0000000000022000

Fix the issue rewriting the relevant expression to avoid sign-related problems - note: size_goal is always >= 0.

Additionally, ensure that the skb in the tx cache always carries the relevant extension.

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2021-47370"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:22Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure tx skbs always have the MPTCP ext\n\nDue to signed/unsigned comparison, the expression:\n\n\tinfo-\u003esize_goal - skb-\u003elen \u003e 0\n\nevaluates to true when the size goal is smaller than the\nskb size. That results in lack of tx cache refill, so that\nthe skb allocated by the core TCP code lacks the required\nMPTCP skb extensions.\n\nDue to the above, syzbot is able to trigger the following WARN_ON():\n\nWARNING: CPU: 1 PID: 810 at net/mptcp/protocol.c:1366 mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366\nModules linked in:\nCPU: 1 PID: 810 Comm: syz-executor.4 Not tainted 5.14.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366\nCode: ff 4c 8b 74 24 50 48 8b 5c 24 58 e9 0f fb ff ff e8 13 44 8b f8 4c 89 e7 45 31 ed e8 98 57 2e fe e9 81 f4 ff ff e8 fe 43 8b f8 \u003c0f\u003e 0b 41 bd ea ff ff ff e9 6f f4 ff ff 4c 89 e7 e8 b9 8e d2 f8 e9\nRSP: 0018:ffffc9000531f6a0 EFLAGS: 00010216\nRAX: 000000000000697f RBX: 0000000000000000 RCX: ffffc90012107000\nRDX: 0000000000040000 RSI: ffffffff88eac9e2 RDI: 0000000000000003\nRBP: ffff888078b15780 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff88eac017 R11: 0000000000000000 R12: ffff88801de0a280\nR13: 0000000000006b58 R14: ffff888066278280 R15: ffff88803c2fe9c0\nFS:  00007fd9f866e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007faebcb2f718 CR3: 00000000267cb000 CR4: 00000000001506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n __mptcp_push_pending+0x1fb/0x6b0 net/mptcp/protocol.c:1547\n mptcp_release_cb+0xfe/0x210 net/mptcp/protocol.c:3003\n release_sock+0xb4/0x1b0 net/core/sock.c:3206\n sk_stream_wait_memory+0x604/0xed0 net/core/stream.c:145\n mptcp_sendmsg+0xc39/0x1bc0 net/mptcp/protocol.c:1749\n inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:643\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:724\n sock_write_iter+0x2a0/0x3e0 net/socket.c:1057\n call_write_iter include/linux/fs.h:2163 [inline]\n new_sync_write+0x40b/0x640 fs/read_write.c:507\n vfs_write+0x7cf/0xae0 fs/read_write.c:594\n ksys_write+0x1ee/0x250 fs/read_write.c:647\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x4665f9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd9f866e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665f9\nRDX: 00000000000e7b78 RSI: 0000000020000000 RDI: 0000000000000003\nRBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038\nR13: 0000000000a9fb1f R14: 00007fd9f866e300 R15: 0000000000022000\n\nFix the issue rewriting the relevant expression to avoid\nsign-related problems - note: size_goal is always \u003e= 0.\n\nAdditionally, ensure that the skb in the tx cache always carries\nthe relevant extension.",
  "id": "GHSA-6xc5-7hvv-v7jc",
  "modified": "2024-05-21T15:31:44Z",
  "published": "2024-05-21T15:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47370"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/977d293e23b48a1129830d7968605f61c4af71a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f8ff625a8082db8c2b58dcb5229b27928943b94b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.