APPLIED: [SRU][F][PATCH 0/2] CVE-2024-26640

Stefan Bader stefan.bader at canonical.com
Wed Sep 25 10:40:09 UTC 2024 

On 10.09.24 03:42, Koichiro Den wrote:
> [Impact]
> 
> tcp: add sanity checks to rx zerocopy
> 
> TCP rx zerocopy intent is to map pages initially allocated
> from NIC drivers, not pages owned by a fs.
> 
> This patch adds to can_map_frag() these additional checks:
> 
> - Page must not be a compound one.
> - page->mapping must be NULL.
> 
> This fixes the panic reported by ZhangPeng.
> 
> syzbot was able to loopback packets built with sendfile(),
> mapping pages owned by an ext4 file to TCP rx zerocopy.
> 
> r3 = socket$inet_tcp(0x2, 0x1, 0x0)
> mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)
> r4 = socket$inet_tcp(0x2, 0x1, 0x0)
> bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)
> connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)
> r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
>      0x181e42, 0x0)
> fallocate(r5, 0x0, 0x0, 0x85b8)
> sendfile(r4, r5, 0x0, 0x8ba0)
> getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,
>      &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,
>      0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)
> r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
>      0x181e42, 0x0)
> 
> [Backport]
> 
> The primary fix commit 577e4432f3ac ("tcp: add sanity checks to rx
> zerocopy") depends on commit 98917cf0d6ed ("net-zerocopy: Refactor
> frag-is-remappable test"). I backported it as it solely involves
> refactoring without introducing new features, is compact enough, and
> enables a clean cherry-pick of the primary fix.
> 
> [Fix]
> 
> Noble:  not affected
> Jammy:  fixed via stable
> Focal:  Backport - one dependent commit backported as well, see [Backport]
> Bionic: not affected
> Xenial: not affected
> Trusty: not affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use TCP_ZEROCOPY_RECEIVE feature, an issue
> with this fix would be visible to use via system crash.
> 
> 
> Arjun Roy (1):
>    net-zerocopy: Refactor frag-is-remappable test.
> 
> Eric Dumazet (1):
>    tcp: add sanity checks to rx zerocopy
> 
>   net/ipv4/tcp.c | 44 ++++++++++++++++++++++++++++++++++++--------
>   1 file changed, 36 insertions(+), 8 deletions(-)
> 

Applied to focal:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240925/f31c7481/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240925/f31c7481/attachment-0001.sig>

More information about the kernel-team mailing list