From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91FBD155A50 for ; Thu, 29 Feb 2024 15:53:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709222015; cv=none; b=kY+CIX9dOSId24SCYSaPbEw+H7/ZnGZB5uRDaISEZivpa3N7et3fru/wrAYQ4qB/A2EzQ+n/W7EN10NBP6GxS+2OGvlPtLfffPhjs5+AoH5Gg6IcBX/QWLEC1S6Bi20ZtousCSHac/BAc4PZFpdpdbS7obhYzirrsYUUrWhnkEc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709222015; c=relaxed/simple; bh=Dsgo42JDu5w+7e3Ivh9EVB+Tn55xUX1bLvJdZ0RKfw0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=aG2xeIgW/HwodmifO8zvI9ZGJmH08i7IqhTZ36gmRM7VOWDSnXFivdeyiACZp6aG/FJ3goJUfpjNRG0x/wCq6zbJp1+xaiXKnbas724kRpNRqT4/Y73TyKrphvXlaHxpYRRE3ViyWF22u2yfQp/iZjOjeyLFnXdqMB5g1I4iGn4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=MCXNG+p9; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="MCXNG+p9" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C8A14C433B2; Thu, 29 Feb 2024 15:53:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1709222015; bh=Dsgo42JDu5w+7e3Ivh9EVB+Tn55xUX1bLvJdZ0RKfw0=; h=From:To:Cc:Subject:Date:Reply-to:From; b=MCXNG+p9Y2uT01YVZDMrZSuRhy28uHPGs7vgFLurWWzbmq5c2kBx2sG8FCnNOnoEj YNIfxuMWhmgiMrB0qG+XqoRQfdgXTDJ0qxrIYFuqt/KzY0VR+GZJFLupuu3Lt0kZrZ amwgcewcHNDhW3kTiiWzBZenTuiMD6RoqpD0jQb3pPqzLUSFNdZq91LOwQVa46ApsT zO/VLeVUJN7MEGqOOCwNdjhGDUr7xLhVumcxkD7OH4FoordcPIeVzrK+4bniXJZHHr pkShEj9FWguxUN/jlbUXhRKzq+4temDMnvkmCw+ycdJoSqtJbt/yGRI6NXeyGlszey EogkuMDqSvhyw== From: Lee Jones To: linux-cve-announce@vger.kernel.org Cc: Lee Jones Subject: CVE-2024-26614: tcp: make sure init the accept_queue's spinlocks once Date: Thu, 29 Feb 2024 15:53:05 +0000 Message-ID: <20240229155245.1571576-46-lee@kernel.org> X-Mailer: git-send-email 2.44.0.rc1.240.g4c46232300-goog Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=7092; i=lee@kernel.org; h=from:subject; bh=Dsgo42JDu5w+7e3Ivh9EVB+Tn55xUX1bLvJdZ0RKfw0=; b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl4KhPhrkyxSV/IeRi5B1cVplzDE+97oRCsWXfj 3mz+kGI/yaJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZeCoTwAKCRBRr4ovh/x3 YVdnD/40vbUIVTsqSBUX/USB9N/BVENpj38GZsONTjyOi5yDuBu+kKS2/adF2gcWV9npKbMgBuR R3POJGMLgTig4JNF2/dOSQ7DvjjPFEG+Yj4xmi1OMFr4tKzkydHgpC5Jol/C8eoHMGVs0uPeOzT +U4WK0nEmE75G8JmEfJAePT3TiDrXTUYeabRgkLcYH9MtkwgYpQlch5E8YmTVHZtZPlX5uiXY63 C3Y2ZL46vjF3AGrryj7cB/mewI1yBVdyKXTcJ//sgUYoHjbduNTufH6W9tZvgebG7cNUA2BGSd7 LHl1Pb6KoGaGxPSjtT1eS1lj57cDtF7BZTY45j3zHPODl8UGrydJ5eRKALki4oUyvnZ80kfO+OR LUYNAVajGb+AwUZpIpI5dfeNxFWkjMNmf8uAwi7GlXaWV032SzX5rEIdV+6agboDtAnSYa/4ADJ RL8yUxTMH7nRUam9sdsdGLXBMKvj7ep88UBcTqoj10KvmS0xpKnISFE5dpqYNiwx8GrjZprqDrQ 7eBq8Nuj0mf/nYn8Ax6vECgvFttXRH1dbl2UceH1dWkMbjCWQ892GdhIn57rfj/SvBcTbC9mEHF Zf53YkpoW6vTe/O/dfbGVQ6tgCArc948wximzB2UKY8lX03uA4JTdGmpv8HW+Cyfw2/9mIz8PTg 6Uj/A8CezhelizQ== X-Developer-Key: i=lee@kernel.org; a=openpgp; fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add inet_listen //start listen spin_lock(&queue->rskq_lock) inet_csk_listen_start ... reqsk_queue_alloc ... spin_lock_init spin_unlock(&queue->rskq_lock) //warning When the socket receives the ACK packet during the three-way handshake, it will hold spinlock. And then the user actively shutdowns the socket and listens to the socket immediately, the spinlock will be initialized. When the socket is going to release the spinlock, a warning is generated. Also the same issue to fastopenq.lock. Move init spinlock to inet_create and inet_accept to make sure init the accept_queue's spinlocks once. The Linux kernel CVE team has assigned CVE-2024-26614 to this issue. Affected and fixed versions =========================== Issue introduced in 3.7 with commit 168a8f58059a and fixed in 5.10.210 with commit bc99dcedd2f4 Issue introduced in 3.7 with commit 168a8f58059a and fixed in 5.15.149 with commit d86cc6ab33b0 Issue introduced in 3.7 with commit 168a8f58059a and fixed in 6.1.76 with commit b1e0a68a0cd2 Issue introduced in 3.7 with commit 168a8f58059a and fixed in 6.6.15 with commit 168e7e599860 Issue introduced in 3.7 with commit 168a8f58059a and fixed in 6.7.3 with commit 3982fe726a63 Issue introduced in 3.7 with commit 168a8f58059a and fixed in 6.8-rc2 with commit 198bc90e0e73 Please see https://www.kernel.org or a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-26614 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/net/inet_connection_sock.h net/core/request_sock.c net/ipv4/af_inet.c net/ipv4/inet_connection_sock.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/bc99dcedd2f422d602516762b96c8ef1ae6b2882 https://git.kernel.org/stable/c/d86cc6ab33b085eaef27ea88b78fc8e2375c0ef3 https://git.kernel.org/stable/c/b1e0a68a0cd2a83259c444f638b417a8fffc6855 https://git.kernel.org/stable/c/168e7e599860654876c2a1102a82610285c02f02 https://git.kernel.org/stable/c/3982fe726a63fb3de6005e534e2ac8ca7e0aca2a https://git.kernel.org/stable/c/198bc90e0e734e5f98c3d2833e8390cac3df61b2