Release Date: | 2024-07-29 |
In the Linux kernel, the following vulnerability has been resolved:\nskmsg: Skip zero length skb in sk_msg_recvmsg\nWhen running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch\nplatform, the following kernel panic occurs:\n[...]\nOops[#1]:\nCPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18\nHardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018\n... ...\nra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560\nERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0\nCRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\nPRMD: 0000000c (PPLV0 +PIE +PWE)\nEUEN: 00000007 (+FPE +SXE +ASXE -BTE)\nECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\nESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\nBADV: 0000000000000040\nPRID: 0014c011 (Loongson-64bit, Loongson-3C5000)\nModules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack\nProcess test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)\nStack : ...\nCall Trace:\n[<9000000004162774>] copy_page_to_iter+0x74/0x1c0\n[<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560\n[<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0\n[<90000000049aae34>] inet_recvmsg+0x54/0x100\n[<900000000481ad5c>] sock_recvmsg+0x7c/0xe0\n[<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0\n[<900000000481e27c>] sys_recvfrom+0x1c/0x40\n[<9000000004c076ec>] do_syscall+0x8c/0xc0\n[<9000000003731da4>] handle_syscall+0xc4/0x160\nCode: ...\n---[ end trace 0000000000000000 ]---\nKernel panic - not syncing: Fatal exception\nKernel relocated by 0x3510000\n.text @ 0x9000000003710000\n.data @ 0x9000000004d70000\n.bss @ 0x9000000006469400\n---[ end Kernel panic - not syncing: Fatal exception ]---\n[...]\nThis crash happens every time when running sockmap_skb_verdict_shutdown\nsubtest in sockmap_basic.\nThis crash is because a NULL pointer is passed to page_address() in the\nsk_msg_recvmsg(). Due to the different implementations depending on the\narchitecture, page_address(NULL) will trigger a panic on Loongarch\nplatform but not on x86 platform. So this bug was hidden on x86 platform\nfor a while, but now it is exposed on Loongarch platform. The root cause\nis that a zero length skb (skb->len == 0) was put on the queue.\nThis zero length skb is a TCP FIN packet, which was sent by shutdown(),\ninvoked in test_sockmap_skb_verdict_shutdown():\nshutdown(p1, SHUT_WR);\nIn this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no\npage is put to this sge (see sg_set_page in sg_set_page), but this empty\nsge is queued into ingress_msg list.\nAnd in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by\nsg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it\nto kmap_local_page() and to page_address(), then kernel panics.\nTo solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),\nif copy is zero, that means it's a zero length skb, skip invoking\ncopy_page_to_iter(). We are using the EFAULT return triggered by\ncopy_page_to_iter to check for is_fin in tcp_bpf.c.
See more information about CVE-2024-41048 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
Base Score: | 4 | CVSS Vector: | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H |
Attack Vector: | Local network | Attack Complexity: | High |
Privileges Required: | High | User Interaction: | Required |
Scope: | Unchanged | Confidentiality Impact: | None |
Integrity Impact: | None | Availability Impact: | High |
Platform | Errata | Release Date |
Oracle Linux version 8 (kernel-uek) | ELSA-2024-12618 | 2024-09-12 |
Oracle Linux version 9 (kernel-uek) | ELSA-2024-12618 | 2024-09-12 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections: