CVE-2023-52701

In the Linux kernel, the following vulnerability has been resolved:

net: use a bounce buffer for copying skb->mark

syzbot found arm64 builds would crash in sockrecvmark() when CONFIGHARDENEDUSERCOPY=y

x86 and powerpc are not detecting the issue because they define useraccessbegin. This will be handled in a different patch, because a checkobjectsize() is missing.

Only data from skb->cb[] can be copied directly to/from user space, as explained in commit 79a8a642bf05 ("net: Whitelist the skbuffheadcache "cb" field")

syzbot report was: usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuffheadcache' (offset 168, size 4)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:102 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usercopyabort+0x90/0x94 mm/usercopy.c:90 lr : usercopyabort+0x90/0x94 mm/usercopy.c:90 sp : ffff80000fb9b9a0 x29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00 x26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000 x23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8 x20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000 x17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118 x14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400 x11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00 x8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c Call trace: usercopy_abort+0x90/0x94 mm/usercopy.c:90 __checkheapobject+0xa8/0x100 mm/slub.c:4761 checkheapobject mm/usercopy.c:196 [inline] __checkobjectsize+0x208/0x6b8 mm/usercopy.c:251 check_objectsize include/linux/threadinfo.h:199 [inline] __copytouser include/linux/uaccess.h:115 [inline] put_cmsg+0x408/0x464 net/core/scm.c:238 sockrecvmark net/socket.c:975 [inline] __sockrecvcmsgs+0x1fc/0x248 net/socket.c:984 sockrecvcmsgs include/net/sock.h:2728 [inline] packetrecvmsg+0x2d8/0x678 net/packet/afpacket.c:3482 ____sys_recvmsg+0x110/0x3a0 ___sys_recvmsg net/socket.c:2737 [inline] __sys_recvmsg+0x194/0x210 net/socket.c:2767 __dosysrecvmsg net/socket.c:2777 [inline] __sesysrecvmsg net/socket.c:2774 [inline] __arm64sysrecvmsg+0x2c/0x3c net/socket.c:2774 __invokesyscall arch/arm64/kernel/syscall.c:38 [inline] invokesyscall+0x64/0x178 arch/arm64/kernel/syscall.c:52 el0svccommon+0xbc/0x180 arch/arm64/kernel/syscall.c:142 doel0svc+0x48/0x110 arch/arm64/kernel/syscall.c:193 el0svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637 el0t64synchandler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t64sync+0x190/0x194 arch/arm64/kernel/entry.S:591 Code: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000)