[UBUNTU Bionic/Focal/OEM-5.14/Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar/Unstable 0/2] CVE-2023-0461

[Thadeu Lima de Souza Cascardo]

[Impact]
Unprivileged users may set an ULP on a connected TCP socket, make it into a
listener and trigger a double free when that listener socket is cloned
during a connection.

[Fix]
The fix is to prevent listening sockets to have an ULP. On older kernels,
where the only ULP is TLS, it is enough to prevent listen(2) to succeed on
a socket that has an ULP set. That is because the init hook of TLS will
prevent non-connected sockets to have the ULP set.

On later kernels, it is also necessary to prevent setsockopt(TCP_ULP) to
succeed when the socket is in a listening state. It should also allow such
operations to succeed on ULPs that support the clone operation/hook.

[Backports]
Some context had to be adjusted on some kernels. But on focal and bionic,
the clone hook does not exist, so the check for it had to removed. Also,
upstream decided about not checking for the state on tcp_set_ulp. Notice
that focal already picked this up from linux-5.4.y and it is the same patch
as the one we applied on bionic. Still sending it here for completion.

Lunar and Unstable already have the first patch, only sending the second
one for completeness.

[Test case]
A test trying to change a ULP-set socket from connected to listen state was
done. Before the fix, the complete test eventually leads to a crash. After
the fix, the listen() syscall fails and all is fine.

[Potential regression]
ULP users (specially TLS on older kernels) may hit upon problems.

Paolo Abeni (2):
  net/ulp: prevent ULP without clone op from entering the LISTEN status
  net/ulp: use consistent error code when blocking ULP

 net/ipv4/inet_connection_sock.c | 14 ++++++++++++++
 net/ipv4/tcp_ulp.c              |  4 ++++
 2 files changed, 18 insertions(+)

-- 
2.34.1