From patchwork Thu Jan 26 18:54:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1732437 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=b/SRIRLR; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4P2qf56xlpz23gY for ; Fri, 27 Jan 2023 05:55:24 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pL7Ov-0007J0-AF; Thu, 26 Jan 2023 18:55:09 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pL7Ou-0007It-B3 for kernel-team@lists.ubuntu.com; Thu, 26 Jan 2023 18:55:08 +0000 Received: from quatroqueijos.. (unknown [179.93.156.234]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id B68323FDA3 for ; Thu, 26 Jan 2023 18:55:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1674759306; bh=p69lsRNhIDcii0qm1gRRKYE3svjWnIfqBeWTJfipT+A=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=b/SRIRLRNBpjUYGfmgmUunFmCZGZLNhI7w6Pmd5ZA8uSzKjDa7crbwruX2nWuJLv7 +vins1sSfInSoP3nUzkPdf/45jVkJE8VmqXfnMSYgkGfLlwxtxB0JyPVZw1Ucz7y7q L2xNHZ7Dqj+bdAB/XlJAz3HmqIbKfPD5EO+xAubomnbHtbAaWrUNWLKKo+eddrjpT5 LGd1i+1p1vPcUAyRnr3gWEHRFQVSiV1BALeFLzTQ3rWT0gryGi+q4ed3Lphmewjsvs wm97Br9MqKle/8uX8xAbb6BojD6+V29cFVJseEilB7IMhgsS1YyYB8wIXi/Ongs2y0 36/2MoIIFJyRg== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [UBUNTU Bionic/Focal/OEM-5.14/Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar/Unstable 0/2] CVE-2023-0461 Date: Thu, 26 Jan 2023 15:54:50 -0300 Message-Id: <20230126185456.986615-1-cascardo@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] Unprivileged users may set an ULP on a connected TCP socket, make it into a listener and trigger a double free when that listener socket is cloned during a connection. [Fix] The fix is to prevent listening sockets to have an ULP. On older kernels, where the only ULP is TLS, it is enough to prevent listen(2) to succeed on a socket that has an ULP set. That is because the init hook of TLS will prevent non-connected sockets to have the ULP set. On later kernels, it is also necessary to prevent setsockopt(TCP_ULP) to succeed when the socket is in a listening state. It should also allow such operations to succeed on ULPs that support the clone operation/hook. [Backports] Some context had to be adjusted on some kernels. But on focal and bionic, the clone hook does not exist, so the check for it had to removed. Also, upstream decided about not checking for the state on tcp_set_ulp. Notice that focal already picked this up from linux-5.4.y and it is the same patch as the one we applied on bionic. Still sending it here for completion. Lunar and Unstable already have the first patch, only sending the second one for completeness. [Test case] A test trying to change a ULP-set socket from connected to listen state was done. Before the fix, the complete test eventually leads to a crash. After the fix, the listen() syscall fails and all is fine. [Potential regression] ULP users (specially TLS on older kernels) may hit upon problems. Paolo Abeni (2): net/ulp: prevent ULP without clone op from entering the LISTEN status net/ulp: use consistent error code when blocking ULP net/ipv4/inet_connection_sock.c | 14 ++++++++++++++ net/ipv4/tcp_ulp.c | 4 ++++ 2 files changed, 18 insertions(+) Acked-by: Tim Gardner Acked-by: Cengiz Can