A recently resolved vulnerability (CVE-2022-48839) in the Linux kernel involves an issue in the net/packet: fix slab-out-of-bounds access in packet_recvmsg(). This vulnerability was discovered by syzbot, an automated tool that detects and reports kernel bugs. The problem occurs when an AF_PACKET socket is using PACKET_COPY_THRESH and mmap operations. In such cases, tpacket_rcv() queues skbs with garbage in skb->cb[], which triggers a too big copy [1].
The proposed fix for this issue is to ensure that the 12 bytes that might be copied to user space later are cleared. This should not affect users of af_packet using mmap() who already get the correct metadata from the mapped buffer.
Below is the code snippet from the original reference, showing the stack trace during the vulnerability.
BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: stack-out-of-bounds in packet_recvmsg+x56c/x115 net/packet/af_packet.c:3489
Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631
CPU: PID: 3631 Comm: syz-executor233 Not tainted 5.17.-rc7-syzkaller-02396-gb3660695e80 #
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+xcd/x134 lib/dump_stack.c:106
print_address_description.constprop..cold+xf/x336 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+x83/xdf mm/kasan/report.c:459
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+x13d/x180 mm/kasan/generic.c:189
memcpy+x39/x60 mm/kasan/shadow.c:66
memcpy include/linux/fortify-string.h:225 [inline]
packet_recvmsg+x56c/x115 net/packet/af_packet.c:3489
sock_recvmsg_nosec net/socket.c:948 [inline]
sock_recvmsg net/socket.c:966 [inline]
sock_recvmsg net/socket.c:962 [inline]
____sys_recvmsg+x2c4/x600 net/socket.c:2632
___sys_recvmsg+x127/x200 net/socket.c:2674
__sys_recvmsg+xe2/x1a net/socket.c:2704
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+x35/xb arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+x44/xae
RIP: 0033:x7fdfd5954c29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 f 05 <48> 3d 01 f ff ff 73 01 c3 48 c7 c1 c ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29
RDX: 000000000000000 RSI: 000000002000050 RDI: 0000000000000005
RBP: 000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60
R13: 00000000000f424 R14: 000000000000c1ff R15: 00007ffcf8e71e54
</TASK>
The address where the vulnerability occurs is in the stack of the syz-executor233/3631 task. Relevant links to the original references are provided below:
1. https://www.linux-kernel-archive.org/linux-kernel/2022/3/7/512228.html
2. https://www.mail-archive.com/netdev@vger.kernel.org/msg565979.html
3. https://lore.kernel.org/netdev/CALo8v=euKBVhBcnpO1qBzz_tE_4X33xp8zD6+M9qjewpMzDrDw@mail.gmail.com/
Exploiting this vulnerability could potentially allow an attacker to execute arbitrary code or cause a denial of service (DoS) within the affected system. However, with the suggested fix, this security risk should be mitigated. Therefore, it is highly recommended that users and developers update their Linux kernel to the latest version that includes this fix to ensure their systems are protected against potential exploitation.
Timeline
Published on: 07/16/2024 13:15:11 UTC
Last modified on: 07/18/2024 16:04:39 UTC