APPLIED [OEM-5.14, OEM-5.17, OEM-6.0] Re: [UBUNTU Bionic/Focal/OEM-5.14/Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar/Unstable 0/2] CVE-2023-0461

Timo Aaltonen tjaalton at ubuntu.com
Tue Feb 7 14:28:50 UTC 2023 

Thadeu Lima de Souza Cascardo kirjoitti 26.1.2023 klo 20.54:
> [Impact]
> Unprivileged users may set an ULP on a connected TCP socket, make it into a
> listener and trigger a double free when that listener socket is cloned
> during a connection.
> 
> [Fix]
> The fix is to prevent listening sockets to have an ULP. On older kernels,
> where the only ULP is TLS, it is enough to prevent listen(2) to succeed on
> a socket that has an ULP set. That is because the init hook of TLS will
> prevent non-connected sockets to have the ULP set.
> 
> On later kernels, it is also necessary to prevent setsockopt(TCP_ULP) to
> succeed when the socket is in a listening state. It should also allow such
> operations to succeed on ULPs that support the clone operation/hook.
> 
> [Backports]
> Some context had to be adjusted on some kernels. But on focal and bionic,
> the clone hook does not exist, so the check for it had to removed. Also,
> upstream decided about not checking for the state on tcp_set_ulp. Notice
> that focal already picked this up from linux-5.4.y and it is the same patch
> as the one we applied on bionic. Still sending it here for completion.
> 
> Lunar and Unstable already have the first patch, only sending the second
> one for completeness.
> 
> [Test case]
> A test trying to change a ULP-set socket from connected to listen state was
> done. Before the fix, the complete test eventually leads to a crash. After
> the fix, the listen() syscall fails and all is fine.
> 
> [Potential regression]
> ULP users (specially TLS on older kernels) may hit upon problems.
> 
> Paolo Abeni (2):
>    net/ulp: prevent ULP without clone op from entering the LISTEN status
>    net/ulp: use consistent error code when blocking ULP
> 
>   net/ipv4/inet_connection_sock.c | 14 ++++++++++++++
>   net/ipv4/tcp_ulp.c              |  4 ++++
>   2 files changed, 18 insertions(+)
> 

applied to oem kernels, thanks

-- 
t

More information about the kernel-team mailing list