In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix TCP options overflow.
Syzbot reported the following splat:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:compoundhead include/linux/page-flags.h:242 [inline] RIP: 0010:putpage+0x23/0x260 include/linux/mm.h:1552 Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83 RSP: 0000:ffffc90003916c90 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac R10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007 R13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skbpageunref include/linux/skbuffref.h:43 [inline] _skbfragunref include/linux/skbuffref.h:56 [inline] skbreleasedata+0x483/0x8a0 net/core/skbuff.c:1119 skbreleaseall net/core/skbuff.c:1190 [inline] _kfreeskb+0x55/0x70 net/core/skbuff.c:1204 tcpcleanrtxqueue net/ipv4/tcpinput.c:3436 [inline] tcpack+0x2442/0x6bc0 net/ipv4/tcpinput.c:4032 tcprcvstateprocess+0x8eb/0x44e0 net/ipv4/tcpinput.c:6805 tcpv4dorcv+0x77d/0xc70 net/ipv4/tcpipv4.c:1939 tcpv4rcv+0x2dc0/0x37f0 net/ipv4/tcpipv4.c:2351 ipprotocoldeliverrcu+0x22e/0x440 net/ipv4/ipinput.c:205 iplocaldeliverfinish+0x341/0x5f0 net/ipv4/ipinput.c:233 NFHOOK+0x3a4/0x450 include/linux/netfilter.h:314 NFHOOK+0x3a4/0x450 include/linux/netfilter.h:314 _netifreceiveskbonecore net/core/dev.c:5672 [inline] _netifreceiveskb+0x2bf/0x650 net/core/dev.c:5785 processbacklog+0x662/0x15b0 net/core/dev.c:6117 _napipoll+0xcb/0x490 net/core/dev.c:6883 napipoll net/core/dev.c:6952 [inline] netrxaction+0x89b/0x1240 net/core/dev.c:7074 handlesoftirqs+0x2d4/0x9b0 kernel/softirq.c:561 _dosoftirq kernel/softirq.c:595 [inline] invokesoftirq kernel/softirq.c:435 [inline] _irqexitrcu+0xf7/0x220 kernel/softirq.c:662 irqexitrcu+0x9/0x30 kernel/softirq.c:678 instrsysvecapictimerinterrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvecapictimerinterrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049 asmsysvecapictimer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0033:0x7f34f4519ad5 Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83 RSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246 RAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5 RDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0 RBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000 R10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4 R13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68 </TASK>
Eric noted a probable shinfo->nr_frags corruption, which indeed occurs.
The root cause is a buggy MPTCP option len computation in some circumstances: the ADD_ADDR option should be mutually exclusive with DSS since the blamed commit.
Still, mptcpestablishedoptionsaddaddr() tries to set the relevant info in mptcpoutoptions, if ---truncated---
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@88b01048f286bb522f524ad99943ba86797d6514",
"target": {
"function": "mptcp_established_options_add_addr",
"file": "net/mptcp/options.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2024-57882-14f23f9c",
"digest": {
"function_hash": "209327190346744261877681459331741342908",
"length": 1048.0
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@88b01048f286bb522f524ad99943ba86797d6514",
"target": {
"file": "net/mptcp/options.c"
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2024-57882-1610ee38",
"digest": {
"line_hashes": [
"276259851177448933169713856369753594864",
"128372774726602684794013925837565138002",
"13241330596073051386146036061823424865",
"94879433187576554901830086501866016368",
"319858072023413009411520223928620268578"
],
"threshold": 0.9
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb08e6b0ba284e3dcdc9378de26dcb51d90710f5",
"target": {
"function": "mptcp_established_options_add_addr",
"file": "net/mptcp/options.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2024-57882-1719cd89",
"digest": {
"function_hash": "104135557599781169742252800459517702002",
"length": 1195.0
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@53fe947f67c93a5334aed3a7259fcc8a204f8bb6",
"target": {
"file": "net/mptcp/options.c"
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2024-57882-43f5461c",
"digest": {
"line_hashes": [
"276259851177448933169713856369753594864",
"128372774726602684794013925837565138002",
"13241330596073051386146036061823424865",
"94879433187576554901830086501866016368",
"319858072023413009411520223928620268578"
],
"threshold": 0.9
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@09ba95321a269019b5aa8e0c3bc80cf86d91fd18",
"target": {
"function": "mptcp_established_options_add_addr",
"file": "net/mptcp/options.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2024-57882-5a156d10",
"digest": {
"function_hash": "209327190346744261877681459331741342908",
"length": 1048.0
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@09ba95321a269019b5aa8e0c3bc80cf86d91fd18",
"target": {
"file": "net/mptcp/options.c"
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2024-57882-8c7d8b61",
"digest": {
"line_hashes": [
"276259851177448933169713856369753594864",
"128372774726602684794013925837565138002",
"13241330596073051386146036061823424865",
"94879433187576554901830086501866016368",
"319858072023413009411520223928620268578"
],
"threshold": 0.9
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb08e6b0ba284e3dcdc9378de26dcb51d90710f5",
"target": {
"file": "net/mptcp/options.c"
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2024-57882-8d139de0",
"digest": {
"line_hashes": [
"276259851177448933169713856369753594864",
"128372774726602684794013925837565138002",
"13241330596073051386146036061823424865",
"94879433187576554901830086501866016368",
"319858072023413009411520223928620268578"
],
"threshold": 0.9
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cbb26f7d8451fe56ccac802c6db48d16240feebd",
"target": {
"function": "mptcp_established_options_add_addr",
"file": "net/mptcp/options.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2024-57882-a7917d45",
"digest": {
"function_hash": "104135557599781169742252800459517702002",
"length": 1195.0
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cbb26f7d8451fe56ccac802c6db48d16240feebd",
"target": {
"file": "net/mptcp/options.c"
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2024-57882-f85621e8",
"digest": {
"line_hashes": [
"276259851177448933169713856369753594864",
"128372774726602684794013925837565138002",
"13241330596073051386146036061823424865",
"94879433187576554901830086501866016368",
"319858072023413009411520223928620268578"
],
"threshold": 0.9
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@53fe947f67c93a5334aed3a7259fcc8a204f8bb6",
"target": {
"function": "mptcp_established_options_add_addr",
"file": "net/mptcp/options.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2024-57882-faa338da",
"digest": {
"function_hash": "333073417303956068569133522981891546155",
"length": 1169.0
}
}
]