Message-ID: <2024100959-CVE-2024-47659-03a8@gregkh>
Date: Wed,  9 Oct 2024 16:03:02 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-47659: smack: tcp: ipv4, fix incorrect labeling

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

smack: tcp: ipv4, fix incorrect labeling

Currently, Smack mirrors the label of incoming tcp/ipv4 connections:
when a label 'foo' connects to a label 'bar' with tcp/ipv4,
'foo' always gets 'foo' in returned ipv4 packets. So,
1) returned packets are incorrectly labeled ('foo' instead of 'bar')
2) 'bar' can write to 'foo' without being authorized to write.

Here is a scenario how to see this:

* Take two machines, let's call them C and S,
   with active Smack in the default state
   (no settings, no rules, no labeled hosts, only builtin labels)

* At S, add Smack rule 'foo bar w'
   (labels 'foo' and 'bar' are instantiated at S at this moment)

* At S, at label 'bar', launch a program
   that listens for incoming tcp/ipv4 connections

* From C, at label 'foo', connect to the listener at S.
   (label 'foo' is instantiated at C at this moment)
   Connection succeedes and works.

* Send some data in both directions.
* Collect network traffic of this connection.

All packets in both directions are labeled with the CIPSO
of the label 'foo'. Hence, label 'bar' writes to 'foo' without
being authorized, and even without ever being known at C.

If anybody cares: exactly the same happens with DCCP.

This behavior 1st manifested in release 2.6.29.4 (see Fixes below)
and it looks unintentional. At least, no explanation was provided.

I changed returned packes label into the 'bar',
to bring it into line with the Smack documentation claims.

The Linux kernel CVE team has assigned CVE-2024-47659 to this issue.


Affected and fixed versions
===========================

	Fixed in 4.19.322 with commit d3f56c653c65
	Fixed in 5.4.284 with commit 5b4b304f196c
	Fixed in 5.10.226 with commit a948ec993541
	Fixed in 5.15.167 with commit 0aea09e82eaf
	Fixed in 6.1.109 with commit 0776bcf9cb6d
	Fixed in 6.6.50 with commit 4be9fd15c3c8
	Fixed in 6.10.9 with commit d3703fa94116
	Fixed in 6.11 with commit 2fe209d0ad2e

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47659
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	security/smack/smack_lsm.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/d3f56c653c65f170b172d3c23120bc64ada645d8
	https://git.kernel.org/stable/c/5b4b304f196c070342e32a4752e1fa2e22fc0671
	https://git.kernel.org/stable/c/a948ec993541db4ef392b555c37a1186f4d61670
	https://git.kernel.org/stable/c/0aea09e82eafa50a373fc8a4b84c1d4734751e2c
	https://git.kernel.org/stable/c/0776bcf9cb6de46fdd94d10118de1cf9b05f83b9
	https://git.kernel.org/stable/c/4be9fd15c3c88775bdf6fa37acabe6de85beebff
	https://git.kernel.org/stable/c/d3703fa94116fed91f64c7d1c7d284fb4369070f
	https://git.kernel.org/stable/c/2fe209d0ad2e2729f7e22b9b31a86cc3ff0db550

Powered by blists - more mailing lists