From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0F9EAD5E for ; Mon, 2 Dec 2024 13:53:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733147612; cv=none; b=nCO+E9BHGF8aDFVJYjWotZUs4zPurwPdvcR2rAhtV/aDnvbvIvkKQZAOArd38S/nBCVQnIR0cLjlm3YFb48Zcj3tmMJLtYVQ/3bPI9hHzMqy5uk8o3QWqYN7SiCs9hpocPGlEfPca1K6hXwvRH9A+g0dKKgDGBu5LhRKPZho+zM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733147612; c=relaxed/simple; bh=2rWG4q6G/+OLWXX40TCyCHhqofJvhWe35t9aNXKNLb0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=EqsOomHPr11EiwD1iof7yXRpIkOFG8i5lJup7TXH6183RUQ3LdhwfzlUyCU4wuwT7woOpZQ5AoQx+q4j3bkkNaUBM/NNNLkkMUQT1jW/NCfGWEDCh/0PVRw7suYaZS1TgR2hQcVjcVDd9oCHiuSkpXdabVZpb+8vytZfZ96sp6o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ifoZQg4M; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ifoZQg4M" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CE345C4CED1; Mon, 2 Dec 2024 13:53:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1733147612; bh=2rWG4q6G/+OLWXX40TCyCHhqofJvhWe35t9aNXKNLb0=; h=From:To:Cc:Subject:Date:Reply-to:From; b=ifoZQg4MZ+kmg6uFU31jZgHnaH/BUQxja8MVqno/U0Hxa4ULQooQp5SMvjmhmtc9d g23bY8IM+ROjiV4/ftJc6qKB7KWpwVTy3AmaFHnnhMp43C0gGbVM2R2nREuXfKiqMh I+Bz7UoukDdgNBtKe0IO1NpccM6Dj2Gb8AHFTWBg= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2024-53123: mptcp: error out earlier on disconnect Date: Mon, 2 Dec 2024 14:53:02 +0100 Message-ID: <2024120252-CVE-2024-53123-cd09@gregkh> X-Mailer: git-send-email 2.47.1 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=4953; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=2rWG4q6G/+OLWXX40TCyCHhqofJvhWe35t9aNXKNLb0=; b=owGbwMvMwCRo6H6F97bub03G02pJDOm+u7c6VqjWX7Y5dOfpckXxr04p8euSVv6Wuiz95iSPv 9OBzVzKHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjARKRuG+eX5YSvV42e9itb+ eqd8ObueKU/VToYFN6x+6Cho31E+USzf1O7t+OKuy6U1AA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: mptcp: error out earlier on disconnect Eric reported a division by zero splat in the MPTCP protocol: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 6094 Comm: syz-executor317 Not tainted 6.12.0-rc5-syzkaller-00291-g05b92660cdfe #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__tcp_select_window+0x5b4/0x1310 net/ipv4/tcp_output.c:3163 Code: f6 44 01 e3 89 df e8 9b 75 09 f8 44 39 f3 0f 8d 11 ff ff ff e8 0d 74 09 f8 45 89 f4 e9 04 ff ff ff e8 00 74 09 f8 44 89 f0 99 7c 24 14 41 29 d6 45 89 f4 e9 ec fe ff ff e8 e8 73 09 f8 48 89 RSP: 0018:ffffc900041f7930 EFLAGS: 00010293 RAX: 0000000000017e67 RBX: 0000000000017e67 RCX: ffffffff8983314b RDX: 0000000000000000 RSI: ffffffff898331b0 RDI: 0000000000000004 RBP: 00000000005d6000 R08: 0000000000000004 R09: 0000000000017e67 R10: 0000000000003e80 R11: 0000000000000000 R12: 0000000000003e80 R13: ffff888031d9b440 R14: 0000000000017e67 R15: 00000000002eb000 FS: 00007feb5d7f16c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007feb5d8adbb8 CR3: 0000000074e4c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __tcp_cleanup_rbuf+0x3e7/0x4b0 net/ipv4/tcp.c:1493 mptcp_rcv_space_adjust net/mptcp/protocol.c:2085 [inline] mptcp_recvmsg+0x2156/0x2600 net/mptcp/protocol.c:2289 inet_recvmsg+0x469/0x6a0 net/ipv4/af_inet.c:885 sock_recvmsg_nosec net/socket.c:1051 [inline] sock_recvmsg+0x1b2/0x250 net/socket.c:1073 __sys_recvfrom+0x1a5/0x2e0 net/socket.c:2265 __do_sys_recvfrom net/socket.c:2283 [inline] __se_sys_recvfrom net/socket.c:2279 [inline] __x64_sys_recvfrom+0xe0/0x1c0 net/socket.c:2279 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7feb5d857559 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007feb5d7f1208 EFLAGS: 00000246 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007feb5d8e1318 RCX: 00007feb5d857559 RDX: 000000800000000e RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007feb5d8e1310 R08: 0000000000000000 R09: ffffffff81000000 R10: 0000000000000100 R11: 0000000000000246 R12: 00007feb5d8e131c R13: 00007feb5d8ae074 R14: 000000800000000e R15: 00000000fffffdef and provided a nice reproducer. The root cause is the current bad handling of racing disconnect. After the blamed commit below, sk_wait_data() can return (with error) with the underlying socket disconnected and a zero rcv_mss. Catch the error and return without performing any additional operations on the current socket. The Linux kernel CVE team has assigned CVE-2024-53123 to this issue. Affected and fixed versions =========================== Issue introduced in 6.1.60 with commit ec9bc89a0188 and fixed in 6.1.119 with commit a749b23059b4 Issue introduced in 6.6 with commit 419ce133ab92 and fixed in 6.6.63 with commit a66805c9b22c Issue introduced in 6.6 with commit 419ce133ab92 and fixed in 6.11.10 with commit 955388e1d5d2 Issue introduced in 6.6 with commit 419ce133ab92 and fixed in 6.12 with commit 581302298524 Issue introduced in 6.5.9 with commit 30fa7600e058 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-53123 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/mptcp/protocol.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/a749b23059b43a9b1787eb36c5d9d44150a34238 https://git.kernel.org/stable/c/a66805c9b22caf4e42af7a616f6c6b83c90d1010 https://git.kernel.org/stable/c/955388e1d5d222c4101c596b536d41b91a8b212e https://git.kernel.org/stable/c/581302298524e9d77c4c44ff5156a6cd112227ae