Message ID | 20230126185456.986615-1-cascardo@canonical.com |
---|---|
Headers | show |
Series | CVE-2023-0461 | expand |
On 1/26/23 11:54, Thadeu Lima de Souza Cascardo wrote: > [Impact] > Unprivileged users may set an ULP on a connected TCP socket, make it into a > listener and trigger a double free when that listener socket is cloned > during a connection. > > [Fix] > The fix is to prevent listening sockets to have an ULP. On older kernels, > where the only ULP is TLS, it is enough to prevent listen(2) to succeed on > a socket that has an ULP set. That is because the init hook of TLS will > prevent non-connected sockets to have the ULP set. > > On later kernels, it is also necessary to prevent setsockopt(TCP_ULP) to > succeed when the socket is in a listening state. It should also allow such > operations to succeed on ULPs that support the clone operation/hook. > > [Backports] > Some context had to be adjusted on some kernels. But on focal and bionic, > the clone hook does not exist, so the check for it had to removed. Also, > upstream decided about not checking for the state on tcp_set_ulp. Notice > that focal already picked this up from linux-5.4.y and it is the same patch > as the one we applied on bionic. Still sending it here for completion. > > Lunar and Unstable already have the first patch, only sending the second > one for completeness. > > [Test case] > A test trying to change a ULP-set socket from connected to listen state was > done. Before the fix, the complete test eventually leads to a crash. After > the fix, the listen() syscall fails and all is fine. > > [Potential regression] > ULP users (specially TLS on older kernels) may hit upon problems. > > Paolo Abeni (2): > net/ulp: prevent ULP without clone op from entering the LISTEN status > net/ulp: use consistent error code when blocking ULP > > net/ipv4/inet_connection_sock.c | 14 ++++++++++++++ > net/ipv4/tcp_ulp.c | 4 ++++ > 2 files changed, 18 insertions(+) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 26.01.23 19:54, Thadeu Lima de Souza Cascardo wrote: > [Impact] > Unprivileged users may set an ULP on a connected TCP socket, make it into a > listener and trigger a double free when that listener socket is cloned > during a connection. > > [Fix] > The fix is to prevent listening sockets to have an ULP. On older kernels, > where the only ULP is TLS, it is enough to prevent listen(2) to succeed on > a socket that has an ULP set. That is because the init hook of TLS will > prevent non-connected sockets to have the ULP set. > > On later kernels, it is also necessary to prevent setsockopt(TCP_ULP) to > succeed when the socket is in a listening state. It should also allow such > operations to succeed on ULPs that support the clone operation/hook. > > [Backports] > Some context had to be adjusted on some kernels. But on focal and bionic, > the clone hook does not exist, so the check for it had to removed. Also, > upstream decided about not checking for the state on tcp_set_ulp. Notice > that focal already picked this up from linux-5.4.y and it is the same patch > as the one we applied on bionic. Still sending it here for completion. > > Lunar and Unstable already have the first patch, only sending the second > one for completeness. > > [Test case] > A test trying to change a ULP-set socket from connected to listen state was > done. Before the fix, the complete test eventually leads to a crash. After > the fix, the listen() syscall fails and all is fine. > > [Potential regression] > ULP users (specially TLS on older kernels) may hit upon problems. > > Paolo Abeni (2): > net/ulp: prevent ULP without clone op from entering the LISTEN status > net/ulp: use consistent error code when blocking ULP > > net/ipv4/inet_connection_sock.c | 14 ++++++++++++++ > net/ipv4/tcp_ulp.c | 4 ++++ > 2 files changed, 18 insertions(+) > Question would be about oem-6.1 but right now that might be covered via lunar... Otherwise: Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 23-01-26 15:54:50, Thadeu Lima de Souza Cascardo wrote: > [Impact] > Unprivileged users may set an ULP on a connected TCP socket, make it into a > listener and trigger a double free when that listener socket is cloned > during a connection. > > [Fix] > The fix is to prevent listening sockets to have an ULP. On older kernels, > where the only ULP is TLS, it is enough to prevent listen(2) to succeed on > a socket that has an ULP set. That is because the init hook of TLS will > prevent non-connected sockets to have the ULP set. > > On later kernels, it is also necessary to prevent setsockopt(TCP_ULP) to > succeed when the socket is in a listening state. It should also allow such > operations to succeed on ULPs that support the clone operation/hook. > > [Backports] > Some context had to be adjusted on some kernels. But on focal and bionic, > the clone hook does not exist, so the check for it had to removed. Also, > upstream decided about not checking for the state on tcp_set_ulp. Notice > that focal already picked this up from linux-5.4.y and it is the same patch > as the one we applied on bionic. Still sending it here for completion. > > Lunar and Unstable already have the first patch, only sending the second > one for completeness. > > [Test case] > A test trying to change a ULP-set socket from connected to listen state was > done. Before the fix, the complete test eventually leads to a crash. After > the fix, the listen() syscall fails and all is fine. > > [Potential regression] > ULP users (specially TLS on older kernels) may hit upon problems. > > Paolo Abeni (2): > net/ulp: prevent ULP without clone op from entering the LISTEN status > net/ulp: use consistent error code when blocking ULP Acked-by: Cengiz Can <cengiz.can@canonical.com> > > net/ipv4/inet_connection_sock.c | 14 ++++++++++++++ > net/ipv4/tcp_ulp.c | 4 ++++ > 2 files changed, 18 insertions(+) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
Applied to bionic,jammy,kinetic linux master-next, focal one was already applied via stable update. Thanks! - Luke On Thu, Jan 26, 2023 at 10:55 AM Thadeu Lima de Souza Cascardo < cascardo@canonical.com> wrote: > [Impact] > Unprivileged users may set an ULP on a connected TCP socket, make it into a > listener and trigger a double free when that listener socket is cloned > during a connection. > > [Fix] > The fix is to prevent listening sockets to have an ULP. On older kernels, > where the only ULP is TLS, it is enough to prevent listen(2) to succeed on > a socket that has an ULP set. That is because the init hook of TLS will > prevent non-connected sockets to have the ULP set. > > On later kernels, it is also necessary to prevent setsockopt(TCP_ULP) to > succeed when the socket is in a listening state. It should also allow such > operations to succeed on ULPs that support the clone operation/hook. > > [Backports] > Some context had to be adjusted on some kernels. But on focal and bionic, > the clone hook does not exist, so the check for it had to removed. Also, > upstream decided about not checking for the state on tcp_set_ulp. Notice > that focal already picked this up from linux-5.4.y and it is the same patch > as the one we applied on bionic. Still sending it here for completion. > > Lunar and Unstable already have the first patch, only sending the second > one for completeness. > > [Test case] > A test trying to change a ULP-set socket from connected to listen state was > done. Before the fix, the complete test eventually leads to a crash. After > the fix, the listen() syscall fails and all is fine. > > [Potential regression] > ULP users (specially TLS on older kernels) may hit upon problems. > > Paolo Abeni (2): > net/ulp: prevent ULP without clone op from entering the LISTEN status > net/ulp: use consistent error code when blocking ULP > > net/ipv4/inet_connection_sock.c | 14 ++++++++++++++ > net/ipv4/tcp_ulp.c | 4 ++++ > 2 files changed, 18 insertions(+) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
On Thu, Jan 26, 2023 at 03:54:50PM -0300, Thadeu Lima de Souza Cascardo wrote: > [Impact] > Unprivileged users may set an ULP on a connected TCP socket, make it into a > listener and trigger a double free when that listener socket is cloned > during a connection. > > [Fix] > The fix is to prevent listening sockets to have an ULP. On older kernels, > where the only ULP is TLS, it is enough to prevent listen(2) to succeed on > a socket that has an ULP set. That is because the init hook of TLS will > prevent non-connected sockets to have the ULP set. > > On later kernels, it is also necessary to prevent setsockopt(TCP_ULP) to > succeed when the socket is in a listening state. It should also allow such > operations to succeed on ULPs that support the clone operation/hook. > > [Backports] > Some context had to be adjusted on some kernels. But on focal and bionic, > the clone hook does not exist, so the check for it had to removed. Also, > upstream decided about not checking for the state on tcp_set_ulp. Notice > that focal already picked this up from linux-5.4.y and it is the same patch > as the one we applied on bionic. Still sending it here for completion. > > Lunar and Unstable already have the first patch, only sending the second > one for completeness. > > [Test case] > A test trying to change a ULP-set socket from connected to listen state was > done. Before the fix, the complete test eventually leads to a crash. After > the fix, the listen() syscall fails and all is fine. > > [Potential regression] > ULP users (specially TLS on older kernels) may hit upon problems. Already applied to lunar kernels via stable updates / periodic rebase. -Andrea
Thadeu Lima de Souza Cascardo kirjoitti 26.1.2023 klo 20.54: > [Impact] > Unprivileged users may set an ULP on a connected TCP socket, make it into a > listener and trigger a double free when that listener socket is cloned > during a connection. > > [Fix] > The fix is to prevent listening sockets to have an ULP. On older kernels, > where the only ULP is TLS, it is enough to prevent listen(2) to succeed on > a socket that has an ULP set. That is because the init hook of TLS will > prevent non-connected sockets to have the ULP set. > > On later kernels, it is also necessary to prevent setsockopt(TCP_ULP) to > succeed when the socket is in a listening state. It should also allow such > operations to succeed on ULPs that support the clone operation/hook. > > [Backports] > Some context had to be adjusted on some kernels. But on focal and bionic, > the clone hook does not exist, so the check for it had to removed. Also, > upstream decided about not checking for the state on tcp_set_ulp. Notice > that focal already picked this up from linux-5.4.y and it is the same patch > as the one we applied on bionic. Still sending it here for completion. > > Lunar and Unstable already have the first patch, only sending the second > one for completeness. > > [Test case] > A test trying to change a ULP-set socket from connected to listen state was > done. Before the fix, the complete test eventually leads to a crash. After > the fix, the listen() syscall fails and all is fine. > > [Potential regression] > ULP users (specially TLS on older kernels) may hit upon problems. > > Paolo Abeni (2): > net/ulp: prevent ULP without clone op from entering the LISTEN status > net/ulp: use consistent error code when blocking ULP > > net/ipv4/inet_connection_sock.c | 14 ++++++++++++++ > net/ipv4/tcp_ulp.c | 4 ++++ > 2 files changed, 18 insertions(+) > applied to oem kernels, thanks