Backport fix for CVE-2023-2176 (8d037973 and 0e158630) to v6.1

Backport fix for CVE-2023-2176 (8d037973 and 0e158630) to v6.1

[Brennan Lamoreaux]

Hi stable maintainers,

The following patch in mainline is listed as a fix for CVE-2023-2176:
8d037973d48c026224ab285e6a06985ccac6f7bf (RDMA/core: Refactor rdma_bind_addr)

And the following is a fix for a regression in the above patch:
0e15863015d97c1ee2cc29d599abcc7fa2dc3e95 (RDMA/core: Update CMA destination address on rdma_resolve_addr)

To my knowledge, at least back to v6.1 is vulnerable to this same bug.
Since these should apply directly to 6.1.y, can these be picked up for that branch?

Regards,
Brennan

Re: Backport fix for CVE-2023-2176 (8d037973 and 0e158630) to v6.1

[Greg KH]

On Tue, Feb 27, 2024 at 04:15:06PM -0800, Brennan Lamoreaux wrote:
> Hi stable maintainers,
> 
> The following patch in mainline is listed as a fix for CVE-2023-2176:
> 8d037973d48c026224ab285e6a06985ccac6f7bf (RDMA/core: Refactor rdma_bind_addr)
> 
> And the following is a fix for a regression in the above patch:
> 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95 (RDMA/core: Update CMA destination address on rdma_resolve_addr)
> 
> To my knowledge, at least back to v6.1 is vulnerable to this same bug.
> Since these should apply directly to 6.1.y, can these be picked up for that branch?

If you provide a working backport of that commit, we will be glad to
apply it.  As-is, it does not apply at all, which is why it was never
added to the 6.1.y tree.

thanks,

greg k-h

Re: Backport fix for CVE-2023-2176 (8d037973 and 0e158630) to v6.1

[Brennan Lamoreaux]

> If you provide a working backport of that commit, we will be glad to
> apply it.  As-is, it does not apply at all, which is why it was never
> added to the 6.1.y tree.

Oh, apologies for requesting if they don't apply. I'd be happy to submit
working backports for these patches, but I am not seeing any issues applying/building
the patches on my machine... Both patches in sequence applied directly and my
local build was successful.

This is the workflow I tested:

git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
git checkout FETCH_HEAD
git cherry-pick -x 8d037973d48c026224ab285e6a06985ccac6f7bf
git cherry-pick -x 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95
make allyesconfig
make

Please let me know if I've made a mistake with the above commands, or if these patches aren't applicable
for some other reason.

Thanks,
Brennan

Re: Backport fix for CVE-2023-2176 (8d037973 and 0e158630) to v6.1

[Ajay Kaher]

On Thu, Feb 29, 2024 at 12:13 AM Brennan Lamoreaux
<brennan.lamoreaux@broadcom.com> wrote:
>
> > If you provide a working backport of that commit, we will be glad to
> > apply it.  As-is, it does not apply at all, which is why it was never
> > added to the 6.1.y tree.
>
> Oh, apologies for requesting if they don't apply. I'd be happy to submit
> working backports for these patches, but I am not seeing any issues applying/building
> the patches on my machine... Both patches in sequence applied directly and my
> local build was successful.
>
> This is the workflow I tested:
>
> git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
> git checkout FETCH_HEAD
> git cherry-pick -x 8d037973d48c026224ab285e6a06985ccac6f7bf
> git cherry-pick -x 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95
> make allyesconfig
> make
>
> Please let me know if I've made a mistake with the above commands, or if these patches aren't applicable
> for some other reason.
>

I guess the reason is:

8d037973d48c026224ab285e6a06985ccac6f7bf doesn't have "Fixes:" and is
not sent to stable@vger.kernel.org.
And 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95 is to Fix
8d037973d48c026224ab285e6a06985ccac6f7bf,
so no need of 0e158 if 8d03 not backported to that particular branch.

- Ajay

Re: Backport fix for CVE-2023-2176 (8d037973 and 0e158630) to v6.1

[Greg KH]

On Thu, Feb 29, 2024 at 02:05:39PM +0530, Ajay Kaher wrote:
> On Thu, Feb 29, 2024 at 12:13 AM Brennan Lamoreaux
> <brennan.lamoreaux@broadcom.com> wrote:
> >
> > > If you provide a working backport of that commit, we will be glad to
> > > apply it.  As-is, it does not apply at all, which is why it was never
> > > added to the 6.1.y tree.
> >
> > Oh, apologies for requesting if they don't apply. I'd be happy to submit
> > working backports for these patches, but I am not seeing any issues applying/building
> > the patches on my machine... Both patches in sequence applied directly and my
> > local build was successful.
> >
> > This is the workflow I tested:
> >
> > git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
> > git checkout FETCH_HEAD
> > git cherry-pick -x 8d037973d48c026224ab285e6a06985ccac6f7bf
> > git cherry-pick -x 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95
> > make allyesconfig
> > make
> >
> > Please let me know if I've made a mistake with the above commands, or if these patches aren't applicable
> > for some other reason.
> >
> 
> I guess the reason is:
> 
> 8d037973d48c026224ab285e6a06985ccac6f7bf doesn't have "Fixes:" and is
> not sent to stable@vger.kernel.org.
> And 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95 is to Fix
> 8d037973d48c026224ab285e6a06985ccac6f7bf,
> so no need of 0e158 if 8d03 not backported to that particular branch.

Ok, so there's nothing to do here, great!  If there is, please let us
know.

greg k-h

Re: Backport fix for CVE-2023-2176 (8d037973 and 0e158630) to v6.1

[Ajay Kaher]

On Mon, Mar 4, 2024 at 12:14 PM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Thu, Feb 29, 2024 at 02:05:39PM +0530, Ajay Kaher wrote:
> > On Thu, Feb 29, 2024 at 12:13 AM Brennan Lamoreaux
> > <brennan.lamoreaux@broadcom.com> wrote:
> > >
> > > > If you provide a working backport of that commit, we will be glad to
> > > > apply it.  As-is, it does not apply at all, which is why it was never
> > > > added to the 6.1.y tree.
> > >
> > > Oh, apologies for requesting if they don't apply. I'd be happy to submit
> > > working backports for these patches, but I am not seeing any issues applying/building
> > > the patches on my machine... Both patches in sequence applied directly and my
> > > local build was successful.
> > >
> > > This is the workflow I tested:
> > >
> > > git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
> > > git checkout FETCH_HEAD
> > > git cherry-pick -x 8d037973d48c026224ab285e6a06985ccac6f7bf
> > > git cherry-pick -x 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95
> > > make allyesconfig
> > > make
> > >
> > > Please let me know if I've made a mistake with the above commands, or if these patches aren't applicable
> > > for some other reason.
> > >
> >
> > I guess the reason is:
> >
> > 8d037973d48c026224ab285e6a06985ccac6f7bf doesn't have "Fixes:" and is
> > not sent to stable@vger.kernel.org.
> > And 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95 is to Fix
> > 8d037973d48c026224ab285e6a06985ccac6f7bf,
> > so no need of 0e158 if 8d03 not backported to that particular branch.
>
> Ok, so there's nothing to do here, great!  If there is, please let us
> know.
>

In my previous mail, I was guessing why 8d037973d48c commit was not
backported to v6.1.

However Brennan's concern is:

As per CVE-2023-2176, because of improper cleanup local users can
crash the system.
And this crash was reported in v5.19, refer:
https://lore.kernel.org/all/ec81a9d50462d9b9303966176b17b85f7dfbb96a.1670749660.git.leonro@nvidia.com/#t

However, fix i.e. 8d037973d48c applied to master from v6.3-rc1 and not
backported to any stable or LTS.
So v6.1 is still vulnarbile, so 8d037973d48c and 0e15863015d9 should
be backported to v6.1.

- Ajay

Re: Backport fix for CVE-2023-2176 (8d037973 and 0e158630) to v6.1

[Greg KH]

On Mon, Mar 04, 2024 at 02:21:22PM +0530, Ajay Kaher wrote:
> On Mon, Mar 4, 2024 at 12:14 PM Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > On Thu, Feb 29, 2024 at 02:05:39PM +0530, Ajay Kaher wrote:
> > > On Thu, Feb 29, 2024 at 12:13 AM Brennan Lamoreaux
> > > <brennan.lamoreaux@broadcom.com> wrote:
> > > >
> > > > > If you provide a working backport of that commit, we will be glad to
> > > > > apply it.  As-is, it does not apply at all, which is why it was never
> > > > > added to the 6.1.y tree.
> > > >
> > > > Oh, apologies for requesting if they don't apply. I'd be happy to submit
> > > > working backports for these patches, but I am not seeing any issues applying/building
> > > > the patches on my machine... Both patches in sequence applied directly and my
> > > > local build was successful.
> > > >
> > > > This is the workflow I tested:
> > > >
> > > > git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
> > > > git checkout FETCH_HEAD
> > > > git cherry-pick -x 8d037973d48c026224ab285e6a06985ccac6f7bf
> > > > git cherry-pick -x 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95
> > > > make allyesconfig
> > > > make
> > > >
> > > > Please let me know if I've made a mistake with the above commands, or if these patches aren't applicable
> > > > for some other reason.
> > > >
> > >
> > > I guess the reason is:
> > >
> > > 8d037973d48c026224ab285e6a06985ccac6f7bf doesn't have "Fixes:" and is
> > > not sent to stable@vger.kernel.org.
> > > And 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95 is to Fix
> > > 8d037973d48c026224ab285e6a06985ccac6f7bf,
> > > so no need of 0e158 if 8d03 not backported to that particular branch.
> >
> > Ok, so there's nothing to do here, great!  If there is, please let us
> > know.
> >
> 
> In my previous mail, I was guessing why 8d037973d48c commit was not
> backported to v6.1.
> 
> However Brennan's concern is:
> 
> As per CVE-2023-2176, because of improper cleanup local users can
> crash the system.
> And this crash was reported in v5.19, refer:
> https://lore.kernel.org/all/ec81a9d50462d9b9303966176b17b85f7dfbb96a.1670749660.git.leonro@nvidia.com/#t
> 
> However, fix i.e. 8d037973d48c applied to master from v6.3-rc1 and not
> backported to any stable or LTS.
> So v6.1 is still vulnarbile, so 8d037973d48c and 0e15863015d9 should
> be backported to v6.1.

Ah, thanks, sorry for the confusion.  Both now queued up.

greg k-h

Re: Backport fix for CVE-2023-2176 (8d037973 and 0e158630) to v6.1

[Ajay Kaher]

On Mon, Mar 4, 2024 at 2:50 PM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Mon, Mar 04, 2024 at 02:21:22PM +0530, Ajay Kaher wrote:
> > On Mon, Mar 4, 2024 at 12:14 PM Greg KH <gregkh@linuxfoundation.org> wrote:
> > >
> > > On Thu, Feb 29, 2024 at 02:05:39PM +0530, Ajay Kaher wrote:
> > > > On Thu, Feb 29, 2024 at 12:13 AM Brennan Lamoreaux
> > > > <brennan.lamoreaux@broadcom.com> wrote:
> > > > >
> > > > > > If you provide a working backport of that commit, we will be glad to
> > > > > > apply it.  As-is, it does not apply at all, which is why it was never
> > > > > > added to the 6.1.y tree.
> > > > >
> > > > > Oh, apologies for requesting if they don't apply. I'd be happy to submit
> > > > > working backports for these patches, but I am not seeing any issues applying/building
> > > > > the patches on my machine... Both patches in sequence applied directly and my
> > > > > local build was successful.
> > > > >
> > > > > This is the workflow I tested:
> > > > >
> > > > > git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
> > > > > git checkout FETCH_HEAD
> > > > > git cherry-pick -x 8d037973d48c026224ab285e6a06985ccac6f7bf
> > > > > git cherry-pick -x 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95
> > > > > make allyesconfig
> > > > > make
> > > > >
> > > > > Please let me know if I've made a mistake with the above commands, or if these patches aren't applicable
> > > > > for some other reason.
> > > > >
> > > >
> > > > I guess the reason is:
> > > >
> > > > 8d037973d48c026224ab285e6a06985ccac6f7bf doesn't have "Fixes:" and is
> > > > not sent to stable@vger.kernel.org.
> > > > And 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95 is to Fix
> > > > 8d037973d48c026224ab285e6a06985ccac6f7bf,
> > > > so no need of 0e158 if 8d03 not backported to that particular branch.
> > >
> > > Ok, so there's nothing to do here, great!  If there is, please let us
> > > know.
> > >
> >
> > In my previous mail, I was guessing why 8d037973d48c commit was not
> > backported to v6.1.
> >
> > However Brennan's concern is:
> >
> > As per CVE-2023-2176, because of improper cleanup local users can
> > crash the system.
> > And this crash was reported in v5.19, refer:
> > https://lore.kernel.org/all/ec81a9d50462d9b9303966176b17b85f7dfbb96a.1670749660.git.leonro@nvidia.com/#t
> >
> > However, fix i.e. 8d037973d48c applied to master from v6.3-rc1 and not
> > backported to any stable or LTS.
> > So v6.1 is still vulnarbile, so 8d037973d48c and 0e15863015d9 should
> > be backported to v6.1.
>
> Ah, thanks, sorry for the confusion.  Both now queued up.
>

So quick, thanks.

- Ajay