CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS

CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS

[Greg Kroah-Hartman]

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

io_uring: drop any code related to SCM_RIGHTS

This is dead code after we dropped support for passing io_uring fds
over SCM_RIGHTS, get rid of it.

The Linux kernel CVE team has assigned CVE-2023-52656 to this issue.


Affected and fixed versions
===========================

	Fixed in 5.4.273 with commit cfb24022bb2c
	Fixed in 5.10.214 with commit a6771f343af9
	Fixed in 5.15.153 with commit d909d381c315
	Fixed in 6.1.83 with commit a3812a47a320
	Fixed in 6.7.11 with commit 88c49d9c8961
	Fixed in 6.8 with commit 6e5e6d274956

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52656
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	include/linux/io_uring_types.h
	io_uring/filetable.c
	io_uring/io_uring.c
	io_uring/rsrc.c
	io_uring/rsrc.h


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/cfb24022bb2c31f1f555dc6bc3cc5e2547446fb3
	https://git.kernel.org/stable/c/a6771f343af90a25f3a14911634562bb5621df02
	https://git.kernel.org/stable/c/d909d381c3152393421403be4b6435f17a2378b4
	https://git.kernel.org/stable/c/a3812a47a32022ca76bf46ddacdd823dc2aabf8b
	https://git.kernel.org/stable/c/88c49d9c896143cdc0f77197c4dcf24140375e89
	https://git.kernel.org/stable/c/6e5e6d274956305f1fc0340522b38f5f5be74bdb

Re: CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS

[Gabriel Krisman Bertazi]

Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:

> Description
> ===========
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> io_uring: drop any code related to SCM_RIGHTS
>
> This is dead code after we dropped support for passing io_uring fds
> over SCM_RIGHTS, get rid of it.
>
> The Linux kernel CVE team has assigned CVE-2023-52656 to this issue.

Hello Greg,

[+Jens in Cc]

This is stable material, but doesn't deserve CVE status.  There is
nothing exploitable that is fixed here. Instead, this commit is dropping
unreachable code after the removal of a feature, following another CVE
report.  Doing the clean up in the original patch would have made the
real security fix harder to review.

The real issue was reported as CVE-2023-52654 and handled by a different
commit.

-- 
Gabriel Krisman Bertazi

Re: CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS

[Jens Axboe]

On 5/24/24 10:45 AM, Gabriel Krisman Bertazi wrote:
> Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
> 
>> Description
>> ===========
>>
>> In the Linux kernel, the following vulnerability has been resolved:
>>
>> io_uring: drop any code related to SCM_RIGHTS
>>
>> This is dead code after we dropped support for passing io_uring fds
>> over SCM_RIGHTS, get rid of it.
>>
>> The Linux kernel CVE team has assigned CVE-2023-52656 to this issue.
> 
> Hello Greg,
> 
> [+Jens in Cc]
> 
> This is stable material, but doesn't deserve CVE status.  There is
> nothing exploitable that is fixed here. Instead, this commit is dropping
> unreachable code after the removal of a feature, following another CVE
> report.  Doing the clean up in the original patch would have made the
> real security fix harder to review.
> 
> The real issue was reported as CVE-2023-52654 and handled by a different
> commit.

FWIW, the same is true for a number of other commits recently. They are
nowhere near CVE material, it's just generic bug fixes.

-- 
Jens Axboe

Re: CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS

[Greg Kroah-Hartman]

On Fri, May 24, 2024 at 10:57:07AM -0600, Jens Axboe wrote:
> On 5/24/24 10:45 AM, Gabriel Krisman Bertazi wrote:
> > Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
> > 
> >> Description
> >> ===========
> >>
> >> In the Linux kernel, the following vulnerability has been resolved:
> >>
> >> io_uring: drop any code related to SCM_RIGHTS
> >>
> >> This is dead code after we dropped support for passing io_uring fds
> >> over SCM_RIGHTS, get rid of it.
> >>
> >> The Linux kernel CVE team has assigned CVE-2023-52656 to this issue.
> > 
> > Hello Greg,
> > 
> > [+Jens in Cc]
> > 
> > This is stable material, but doesn't deserve CVE status.  There is
> > nothing exploitable that is fixed here. Instead, this commit is dropping
> > unreachable code after the removal of a feature, following another CVE
> > report.  Doing the clean up in the original patch would have made the
> > real security fix harder to review.
> > 
> > The real issue was reported as CVE-2023-52654 and handled by a different
> > commit.
> 
> FWIW, the same is true for a number of other commits recently. They are
> nowhere near CVE material, it's just generic bug fixes.

Ok, glad to revoke them if you do not think they are user triggerable
issues.  I'll go reject this one right now, thanks.

greg k-h

Re: CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS

[Greg Kroah-Hartman]

On Sat, May 25, 2024 at 05:09:45PM +0200, Eduardo' Vela" <Nava> wrote:
> On Sat, 25 May 2024, 09:15 Greg Kroah-Hartman, <gregkh@linuxfoundation.org>
> wrote:
> 
> > On Fri, May 24, 2024 at 10:57:07AM -0600, Jens Axboe wrote:
> > > On 5/24/24 10:45 AM, Gabriel Krisman Bertazi wrote:
> > > > Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
> > > >
> > > >> Description
> > > >> ===========
> > > >>
> > > >> In the Linux kernel, the following vulnerability has been resolved:
> > > >>
> > > >> io_uring: drop any code related to SCM_RIGHTS
> > > >>
> > > >> This is dead code after we dropped support for passing io_uring fds
> > > >> over SCM_RIGHTS, get rid of it.
> > > >>
> > > >> The Linux kernel CVE team has assigned CVE-2023-52656 to this issue.
> > > >
> > > > Hello Greg,
> > > >
> > > > [+Jens in Cc]
> > > >
> > > > This is stable material, but doesn't deserve CVE status.  There is
> > > > nothing exploitable that is fixed here. Instead, this commit is
> > dropping
> > > > unreachable code after the removal of a feature, following another CVE
> > > > report.  Doing the clean up in the original patch would have made the
> > > > real security fix harder to review.
> > > >
> > > > The real issue was reported as CVE-2023-52654 and handled by a
> > different
> > > > commit.
> > >
> > > FWIW, the same is true for a number of other commits recently. They are
> > > nowhere near CVE material, it's just generic bug fixes.
> >
> > Ok, glad to revoke them if you do not think they are user triggerable
> > issues.  I'll go reject this one right now, thanks.
> >
> 
> Good day!
> 
> So, either I'm completely lost or CVE-2023-52656 shouldn't have been
> rejected. Forgive me for mudding the problem even more.
> 
> I think we need to unreject this CVE (CVE-2023-52656) or CVE-2023-52654
> should be amended to include the dead code removal commit.. that said,
> that'll be weirder than just unrejecting this commit.
> 
> The reason is that the commit "io_uring/af_unix: disable sending io_uring
> over sockets" is not enough to fix the vulnerability in stable branches,
> because e.g. bcedd497b3b4a0be56f3adf7c7542720eced0792 on 5.15 only fixes
> one path (io_sqe_file_register) to reach unix_inflight(), but it is still
> reachable via another path (io_sqe_fileS_register) which is only removed by
> d909d381c3152393421403be4b6435f17a2378b4 ("io_uring: drop any code related
> to SCM_RIGHTS").
> 
> Although that patch claims "it is dead code", this claim was only true on
> upstream, but not on stable branches (or at least on 5.15 where the
> vulnerability was proven to be reachable).
> 
> What a mess! 😄
> 
> My colleague poprdi@google.com sent this analysis to the CNA list, so maybe
> we can continue the discussion there as he also provided some additional
> details there.

Oh yeah, that's right, that's why we issued that!

Jens, any objection for me restoring this CVE?

thanks,

greg k-h

Re: CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS

[Jens Axboe]

On 5/25/24 9:09 AM, Eduardo' Vela" <Nava> wrote:
> On Sat, 25 May 2024, 09:15 Greg Kroah-Hartman, <gregkh@linuxfoundation.org <mailto:gregkh@linuxfoundation.org>> wrote:
> 
>     On Fri, May 24, 2024 at 10:57:07AM -0600, Jens Axboe wrote:
>     > On 5/24/24 10:45 AM, Gabriel Krisman Bertazi wrote:
>     > > Greg Kroah-Hartman <gregkh@linuxfoundation.org <mailto:gregkh@linuxfoundation.org>> writes:
>     > >
>     > >> Description
>     > >> ===========
>     > >>
>     > >> In the Linux kernel, the following vulnerability has been resolved:
>     > >>
>     > >> io_uring: drop any code related to SCM_RIGHTS
>     > >>
>     > >> This is dead code after we dropped support for passing io_uring fds
>     > >> over SCM_RIGHTS, get rid of it.
>     > >>
>     > >> The Linux kernel CVE team has assigned CVE-2023-52656 to this issue.
>     > >
>     > > Hello Greg,
>     > >
>     > > [+Jens in Cc]
>     > >
>     > > This is stable material, but doesn't deserve CVE status.  There is
>     > > nothing exploitable that is fixed here. Instead, this commit is dropping
>     > > unreachable code after the removal of a feature, following another CVE
>     > > report.  Doing the clean up in the original patch would have made the
>     > > real security fix harder to review.
>     > >
>     > > The real issue was reported as CVE-2023-52654 and handled by a different
>     > > commit.
>     >
>     > FWIW, the same is true for a number of other commits recently. They are
>     > nowhere near CVE material, it's just generic bug fixes.
> 
>     Ok, glad to revoke them if you do not think they are user triggerable
>     issues.  I'll go reject this one right now, thanks.
> 
> 
> Good day!
> 
> So, either I'm completely lost or CVE-2023-52656 shouldn't have been
> rejected. Forgive me for mudding the problem even more.
> 
> I think we need to unreject this CVE (CVE-2023-52656) or
> CVE-2023-52654 should be amended to include the dead code removal
> commit.. that said, that'll be weirder than just unrejecting this
> commit.
> 
> The reason is that the commit "io_uring/af_unix: disable sending
> io_uring over sockets" is not enough to fix the vulnerability in
> stable branches, because e.g. bcedd497b3b4a0be56f3adf7c7542720eced0792
> on 5.15 only fixes one path (io_sqe_file_register) to reach
> unix_inflight(), but it is still reachable via another path
> (io_sqe_fileS_register) which is only removed by
> d909d381c3152393421403be4b6435f17a2378b4 ("io_uring: drop any code
> related to SCM_RIGHTS").
> 
> Although that patch claims "it is dead code", this claim was only true
> on upstream, but not on stable branches (or at least on 5.15 where the
> vulnerability was proven to be reachable).
> 
> What a mess! ?

Ah right, yeah it was a mess because of the stable backports, it was not
for the upstream front. Agree Greg, let's just keep it because of the
stable side.

-- 
Jens Axboe

CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS

[Greg Kroah-Hartman]

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

io_uring: drop any code related to SCM_RIGHTS

This is dead code after we dropped support for passing io_uring fds
over SCM_RIGHTS, get rid of it.

The Linux kernel CVE team has assigned CVE-2023-52656 to this issue.


Affected and fixed versions
===========================

	Fixed in 5.4.273 with commit cfb24022bb2c
	Fixed in 5.10.214 with commit a6771f343af9
	Fixed in 5.15.153 with commit d909d381c315
	Fixed in 6.1.83 with commit a3812a47a320
	Fixed in 6.7.11 with commit 88c49d9c8961
	Fixed in 6.8 with commit 6e5e6d274956

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52656
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	include/linux/io_uring_types.h
	io_uring/filetable.c
	io_uring/io_uring.c
	io_uring/rsrc.c
	io_uring/rsrc.h


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/cfb24022bb2c31f1f555dc6bc3cc5e2547446fb3
	https://git.kernel.org/stable/c/a6771f343af90a25f3a14911634562bb5621df02
	https://git.kernel.org/stable/c/d909d381c3152393421403be4b6435f17a2378b4
	https://git.kernel.org/stable/c/a3812a47a32022ca76bf46ddacdd823dc2aabf8b
	https://git.kernel.org/stable/c/88c49d9c896143cdc0f77197c4dcf24140375e89
	https://git.kernel.org/stable/c/6e5e6d274956305f1fc0340522b38f5f5be74bdb

Re: CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS

[Greg Kroah-Hartman]

On Sat, May 25, 2024 at 09:28:35AM -0600, Jens Axboe wrote:
> On 5/25/24 9:09 AM, Eduardo' Vela" <Nava> wrote:
> > On Sat, 25 May 2024, 09:15 Greg Kroah-Hartman, <gregkh@linuxfoundation.org <mailto:gregkh@linuxfoundation.org>> wrote:
> > 
> >     On Fri, May 24, 2024 at 10:57:07AM -0600, Jens Axboe wrote:
> >     > On 5/24/24 10:45 AM, Gabriel Krisman Bertazi wrote:
> >     > > Greg Kroah-Hartman <gregkh@linuxfoundation.org <mailto:gregkh@linuxfoundation.org>> writes:
> >     > >
> >     > >> Description
> >     > >> ===========
> >     > >>
> >     > >> In the Linux kernel, the following vulnerability has been resolved:
> >     > >>
> >     > >> io_uring: drop any code related to SCM_RIGHTS
> >     > >>
> >     > >> This is dead code after we dropped support for passing io_uring fds
> >     > >> over SCM_RIGHTS, get rid of it.
> >     > >>
> >     > >> The Linux kernel CVE team has assigned CVE-2023-52656 to this issue.
> >     > >
> >     > > Hello Greg,
> >     > >
> >     > > [+Jens in Cc]
> >     > >
> >     > > This is stable material, but doesn't deserve CVE status.  There is
> >     > > nothing exploitable that is fixed here. Instead, this commit is dropping
> >     > > unreachable code after the removal of a feature, following another CVE
> >     > > report.  Doing the clean up in the original patch would have made the
> >     > > real security fix harder to review.
> >     > >
> >     > > The real issue was reported as CVE-2023-52654 and handled by a different
> >     > > commit.
> >     >
> >     > FWIW, the same is true for a number of other commits recently. They are
> >     > nowhere near CVE material, it's just generic bug fixes.
> > 
> >     Ok, glad to revoke them if you do not think they are user triggerable
> >     issues.  I'll go reject this one right now, thanks.
> > 
> > 
> > Good day!
> > 
> > So, either I'm completely lost or CVE-2023-52656 shouldn't have been
> > rejected. Forgive me for mudding the problem even more.
> > 
> > I think we need to unreject this CVE (CVE-2023-52656) or
> > CVE-2023-52654 should be amended to include the dead code removal
> > commit.. that said, that'll be weirder than just unrejecting this
> > commit.
> > 
> > The reason is that the commit "io_uring/af_unix: disable sending
> > io_uring over sockets" is not enough to fix the vulnerability in
> > stable branches, because e.g. bcedd497b3b4a0be56f3adf7c7542720eced0792
> > on 5.15 only fixes one path (io_sqe_file_register) to reach
> > unix_inflight(), but it is still reachable via another path
> > (io_sqe_fileS_register) which is only removed by
> > d909d381c3152393421403be4b6435f17a2378b4 ("io_uring: drop any code
> > related to SCM_RIGHTS").
> > 
> > Although that patch claims "it is dead code", this claim was only true
> > on upstream, but not on stable branches (or at least on 5.15 where the
> > vulnerability was proven to be reachable).
> > 
> > What a mess! ?
> 
> Ah right, yeah it was a mess because of the stable backports, it was not
> for the upstream front. Agree Greg, let's just keep it because of the
> stable side.

Now republished, thanks!

greg k-h

Re: CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS

[Gabriel Krisman Bertazi]

"Eduardo' Vela\" <Nava>" <evn@google.com> writes:

> So, either I'm completely lost or CVE-2023-52656 shouldn't have been
> rejected. Forgive me for mudding the problem even more.
>
> I think we need to unreject this CVE (CVE-2023-52656) or CVE-2023-52654
> should be amended to include the dead code removal commit.. that said,
> that'll be weirder than just unrejecting this commit.
>
> The reason is that the commit "io_uring/af_unix: disable sending io_uring
> over sockets" is not enough to fix the vulnerability in stable branches,
> because e.g. bcedd497b3b4a0be56f3adf7c7542720eced0792 on 5.15 only fixes
> one path (io_sqe_file_register) to reach unix_inflight(), but it is still
> reachable via another path (io_sqe_fileS_register) which is only removed by
> d909d381c3152393421403be4b6435f17a2378b4 ("io_uring: drop any code related
> to SCM_RIGHTS").

Hm, right.  this is real for some really old stable tree.  thanks for
the clarification.

But lets agree, the above write up is literally the *only* relevant,
public information on the issue (that I could find).  And it only
appeared because we almost wrongfully rejected it.  The CVE description,
the list of affected trees and everything else in the CVE report are
absolute non-sense.  Still, the CVE report is all downstream developers
have to work on the issue.  Of course, the original commit message could
not have tracked the new information, but the analysis MUST be appended
to the CVE description.

FWIW,

	Fixed in 6.1.83 with commit a3812a47a320
	Fixed in 6.7.11 with commit 88c49d9c8961
	Fixed in 6.8 with commit 6e5e6d274956

Is nonsense, then.  We check for io_is_uring_fops(file) right before it.

Greg,

I understand we have multiple streams for security issues, including
some that might be automated through Fixes tag. But for cases like this,
where a discussion apparently happened and a human did the excellent
work of properly analyzing it, can we get a real CVE description
beyond the original commit message?  Even publishing the archives of the
original report (minus, whatever, the exploit) alongside the CVE would
improve the situation.  The old CVE process was notoriously bad with
descriptions, but this is somehow worse.

> Although that patch claims "it is dead code", this claim was only true on
> upstream, but not on stable branches (or at least on 5.15 where the
> vulnerability was proven to be reachable).

Yet, there no information about this "small" detail anywhere I can find.

> My colleague poprdi@google.com sent this analysis to the CNA list, so maybe
> we can continue the discussion there

No. this *really* needs to be discussed on an *open* list.  The CVE is
out already.

-- 
Gabriel Krisman Bertazi