| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022618-CVE-2022-49204-38c3@gregkh> Date: Wed, 26 Feb 2025 02:56:49 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49204: bpf, sockmap: Fix more uncharged while msg has more_data Description =========== In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix more uncharged while msg has more_data In tcp_bpf_send_verdict(), if msg has more data after tcp_bpf_sendmsg_redir(): tcp_bpf_send_verdict() tosend = msg->sg.size //msg->sg.size = 22220 case __SK_REDIRECT: sk_msg_return() //uncharged msg->sg.size(22220) sk->sk_forward_alloc tcp_bpf_sendmsg_redir() //after tcp_bpf_sendmsg_redir, msg->sg.size=11000 goto more_data; tosend = msg->sg.size //msg->sg.size = 11000 case __SK_REDIRECT: sk_msg_return() //uncharged msg->sg.size(11000) to sk->sk_forward_alloc The msg->sg.size(11000) has been uncharged twice, to fix we can charge the remaining msg->sg.size before goto more data. This issue can cause the following info: WARNING: CPU: 0 PID: 9860 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0 Call Trace: <TASK> inet_csk_destroy_sock+0x55/0x110 __tcp_close+0x279/0x470 tcp_close+0x1f/0x60 inet_release+0x3f/0x80 __sock_release+0x3d/0xb0 sock_close+0x11/0x20 __fput+0x92/0x250 task_work_run+0x6a/0xa0 do_exit+0x33b/0xb60 do_group_exit+0x2f/0xa0 get_signal+0xb6/0x950 arch_do_signal_or_restart+0xac/0x2a0 ? vfs_write+0x237/0x290 exit_to_user_mode_prepare+0xa9/0x200 syscall_exit_to_user_mode+0x12/0x30 do_syscall_64+0x46/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae </TASK> WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: <TASK> __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK> The Linux kernel CVE team has assigned CVE-2022-49204 to this issue. Affected and fixed versions =========================== Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.4.189 with commit 244ce90c8d0bd10ebf957da02c6f3fcd5d920bdf Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.10.110 with commit 7b812a369e6416ab06d83cdd39d8e3f752781dd0 Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.15.33 with commit 168ff181f5b6e7fce684c98a30d35da1dbf8f82a Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.16.19 with commit 87d532d41ef937e16f61b3d2094f3a2ac49be365 Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.17.2 with commit abb4caa477a5450817d2aa1198edce66450aecf8 Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.18 with commit 84472b436e760ba439e1969a9e3c5ae7c86de39d Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49204 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ipv4/tcp_bpf.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/244ce90c8d0bd10ebf957da02c6f3fcd5d920bdf https://git.kernel.org/stable/c/7b812a369e6416ab06d83cdd39d8e3f752781dd0 https://git.kernel.org/stable/c/168ff181f5b6e7fce684c98a30d35da1dbf8f82a https://git.kernel.org/stable/c/87d532d41ef937e16f61b3d2094f3a2ac49be365 https://git.kernel.org/stable/c/abb4caa477a5450817d2aa1198edce66450aecf8 https://git.kernel.org/stable/c/84472b436e760ba439e1969a9e3c5ae7c86de39d
Powered by blists - more mailing lists