| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022646-CVE-2022-49372-45e1@gregkh> Date: Wed, 26 Feb 2025 03:10:46 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49372: tcp: tcp_rtx_synack() can be called from process context Description =========== In the Linux kernel, the following vulnerability has been resolved: tcp: tcp_rtx_synack() can be called from process context Laurent reported the enclosed report [1] This bug triggers with following coditions: 0) Kernel built with CONFIG_DEBUG_PREEMPT=y 1) A new passive FastOpen TCP socket is created. This FO socket waits for an ACK coming from client to be a complete ESTABLISHED one. 2) A socket operation on this socket goes through lock_sock() release_sock() dance. 3) While the socket is owned by the user in step 2), a retransmit of the SYN is received and stored in socket backlog. 4) At release_sock() time, the socket backlog is processed while in process context. 5) A SYNACK packet is cooked in response of the SYN retransmit. 6) -> tcp_rtx_synack() is called in process context. Before blamed commit, tcp_rtx_synack() was always called from BH handler, from a timer handler. Fix this by using TCP_INC_STATS() & NET_INC_STATS() which do not assume caller is in non preemptible context. [1] BUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180 caller is tcp_rtx_synack.part.0+0x36/0xc0 CPU: 10 PID: 2180 Comm: epollpep Tainted: G OE 5.16.0-0.bpo.4-amd64 #1 Debian 5.16.12-1~bpo11+1 Hardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021 Call Trace: <TASK> dump_stack_lvl+0x48/0x5e check_preemption_disabled+0xde/0xe0 tcp_rtx_synack.part.0+0x36/0xc0 tcp_rtx_synack+0x8d/0xa0 ? kmem_cache_alloc+0x2e0/0x3e0 ? apparmor_file_alloc_security+0x3b/0x1f0 inet_rtx_syn_ack+0x16/0x30 tcp_check_req+0x367/0x610 tcp_rcv_state_process+0x91/0xf60 ? get_nohz_timer_target+0x18/0x1a0 ? lock_timer_base+0x61/0x80 ? preempt_count_add+0x68/0xa0 tcp_v4_do_rcv+0xbd/0x270 __release_sock+0x6d/0xb0 release_sock+0x2b/0x90 sock_setsockopt+0x138/0x1140 ? __sys_getsockname+0x7e/0xc0 ? aa_sk_perm+0x3e/0x1a0 __sys_setsockopt+0x198/0x1e0 __x64_sys_setsockopt+0x21/0x30 do_syscall_64+0x38/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae The Linux kernel CVE team has assigned CVE-2022-49372 to this issue. Affected and fixed versions =========================== Issue introduced in 3.7 with commit 168a8f58059a22feb9e9a2dcc1b8053dbbbc12ef and fixed in 4.9.318 with commit 3db889f883e65bbd3b1401279bfc1e9ed255c481 Issue introduced in 3.7 with commit 168a8f58059a22feb9e9a2dcc1b8053dbbbc12ef and fixed in 4.14.283 with commit c348b0f8d035fc4bdc040796889beec7218bd1b8 Issue introduced in 3.7 with commit 168a8f58059a22feb9e9a2dcc1b8053dbbbc12ef and fixed in 4.19.247 with commit 58bd38cbc961fd799842b7be8c5222310f04b908 Issue introduced in 3.7 with commit 168a8f58059a22feb9e9a2dcc1b8053dbbbc12ef and fixed in 5.4.198 with commit d05c2fdf8e10528bb6751bd95243e862d5402a9b Issue introduced in 3.7 with commit 168a8f58059a22feb9e9a2dcc1b8053dbbbc12ef and fixed in 5.10.122 with commit 0a0f7f84148445c9f02f226928803a870139d820 Issue introduced in 3.7 with commit 168a8f58059a22feb9e9a2dcc1b8053dbbbc12ef and fixed in 5.15.47 with commit 88cd232146207ff1d41dededed5e77c0d4438113 Issue introduced in 3.7 with commit 168a8f58059a22feb9e9a2dcc1b8053dbbbc12ef and fixed in 5.17.15 with commit bdc28a8fb43cc476e33b11519235adb816ce00e8 Issue introduced in 3.7 with commit 168a8f58059a22feb9e9a2dcc1b8053dbbbc12ef and fixed in 5.18.4 with commit d8e1bc6029acac796293310aacef7b7336f35b6a Issue introduced in 3.7 with commit 168a8f58059a22feb9e9a2dcc1b8053dbbbc12ef and fixed in 5.19 with commit 0a375c822497ed6ad6b5da0792a12a6f1af10c0b Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49372 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ipv4/tcp_output.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/3db889f883e65bbd3b1401279bfc1e9ed255c481 https://git.kernel.org/stable/c/c348b0f8d035fc4bdc040796889beec7218bd1b8 https://git.kernel.org/stable/c/58bd38cbc961fd799842b7be8c5222310f04b908 https://git.kernel.org/stable/c/d05c2fdf8e10528bb6751bd95243e862d5402a9b https://git.kernel.org/stable/c/0a0f7f84148445c9f02f226928803a870139d820 https://git.kernel.org/stable/c/88cd232146207ff1d41dededed5e77c0d4438113 https://git.kernel.org/stable/c/bdc28a8fb43cc476e33b11519235adb816ce00e8 https://git.kernel.org/stable/c/d8e1bc6029acac796293310aacef7b7336f35b6a https://git.kernel.org/stable/c/0a375c822497ed6ad6b5da0792a12a6f1af10c0b
Powered by blists - more mailing lists