CVE-2024-50034

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix lacks of icsksynmss with IPPROTO_SMC

Eric report a panic on IPPROTOSMC, and give the facts that when INETPROTOSWICSK was set, icsk->icsksync_mss must be set too.

Bug: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000005 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000 [0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003, pud=0000000000000000 Internal error: Oops: 0000000086000005 [#1] PREEMPT SMP Modules linked in: CPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : cipsov4socksetattr+0x2a8/0x3c0 net/ipv4/cipsoipv4.c:1910 sp : ffff80009b887a90 x29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000 x26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00 x23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000 x20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79ee x17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001 x14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003 x11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000 Call trace: 0x0 netlblsocksetattr+0x2e4/0x338 net/netlabel/netlabelkapi.c:1000 smacknetlbladd+0xa4/0x154 security/smack/smacklsm.c:2593 smacksocketpostcreate+0xa8/0x14c security/smack/smacklsm.c:2973 securitysocketpostcreate+0x94/0xd4 security/security.c:4425 _sockcreate+0x4c8/0x884 net/socket.c:1587 sockcreate net/socket.c:1622 [inline] _syssocketcreate net/socket.c:1659 [inline] _syssocket+0x134/0x340 net/socket.c:1706 _dosyssocket net/socket.c:1720 [inline] _sesyssocket net/socket.c:1718 [inline] _arm64syssocket+0x7c/0x94 net/socket.c:1718 _invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0svccommon+0x130/0x23c arch/arm64/kernel/syscall.c:132 doel0svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t64synchandler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Code: ???????? ???????? ???????? ???????? (????????) ---[ end trace 0000000000000000 ]---

This patch add a toy implementation that performs a simple return to prevent such panic. This is because MSS can be set in sockcreatekern or smcsetsockopt, similar to how it's done in AFSMC. However, for AFSMC, there is currently no way to synchronize MSS within _sysconnectfile. This toy implementation lays the groundwork for us to support such feature for IPPROTO_SMC in the future.