CVE-2023-52523

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52523
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52523.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52523
Related
Published
2024-03-02T22:15:48Z
Modified
2024-09-18T03:24:32.306671Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets

With a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages sent from one TCP socket (s1) to actually egress from another TCP socket (s2):

tcpbpfsendmsg(s1) // = skprot->sendmsg tcpbpfsendverdict(s1) // _SKREDIRECT case tcpbpfsendmsgredir(s2) tcpbpfpushlocked(s2) tcpbpfpush(s2) tcpratecheckapplimited(s2) // expects tcpsock tcpsendmsg_locked(s2) // ditto

There is a hard-coded assumption in the call-chain, that the egress socket (s2) is a TCP socket.

However in commit 122e6c79efe1 ("sockmap: Update sock type checks for UDP") we have enabled redirects to non-TCP sockets. This was done for the sake of BPF skskb programs. There was no indention to support sk_msg send-to-egress use case.

As a result, attempts to send-to-egress through a non-TCP socket lead to a crash due to invalid downcast from sock to tcp_sock:

BUG: kernel NULL pointer dereference, address: 000000000000002f ... Call Trace: <TASK> ? showregs+0x60/0x70 ? _die+0x1f/0x70 ? pagefaultoops+0x80/0x160 ? douseraddrfault+0x2d7/0x800 ? rcuiswatching+0x11/0x50 ? excpagefault+0x70/0x1c0 ? asmexcpagefault+0x27/0x30 ? tcptsosegs+0x14/0xa0 tcpwritexmit+0x67/0xce0 _tcppushpendingframes+0x32/0xf0 tcppush+0x107/0x140 tcpsendmsglocked+0x99f/0xbb0 tcpbpfpush+0x19d/0x3a0 tcpbpfsendmsgredir+0x55/0xd0 tcpbpfsendverdict+0x407/0x550 tcpbpfsendmsg+0x1a1/0x390 inetsendmsg+0x6a/0x70 socksendmsg+0x9d/0xc0 ? sockfdlookuplight+0x12/0x80 _syssendto+0x10e/0x160 ? syscallenterfromusermode+0x20/0x60 ? _thiscpupreemptcheck+0x13/0x20 ? lockdephardirqson+0x82/0x110 _x64syssendto+0x1f/0x30 dosyscall64+0x38/0x90 entrySYSCALL64afterhwframe+0x63/0xcd

Reject selecting a non-TCP sockets as redirect target from a BPF sk_msg program to prevent the crash. When attempted, user will receive an EACCES error from send/sendto/sendmsg() syscall.

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.64-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.5.8-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}