Google Git
Sign in
cos / third_party / kernel / 81668026811f1248b6eaa73f8f60a949614ea3d1
commit81668026811f1248b6eaa73f8f60a949614ea3d1[log] [tgz]
authorKuniyuki Iwashima <kuniyu@amazon.com>Thu Nov 17 04:56:00 2022 +0100
committerOleksandr Tymoshenko <ovt@google.com>Sat Feb 17 04:44:23 2024 +0000
treebe28d2249fe12af1ab783494b7e24edf3af5061e
parent60d6cb174d3c09ed69f87b6bbc7d7aadee648255 [diff]
tcp: Fix data races around icsk->icsk_af_ops.

setsockopt(IPV6_ADDRFORM) and tcp_v6_connect() change icsk->icsk_af_ops
under lock_sock(), but tcp_(get|set)sockopt() read it locklessly.  To
avoid load/store tearing, we need to add READ_ONCE() and WRITE_ONCE()
for the reads and writes.

Thanks to Eric Dumazet for providing the syzbot report:

BUG: KCSAN: data-race in tcp_setsockopt / tcp_v6_connect

write to 0xffff88813c624518 of 8 bytes by task 23936 on cpu 0:
tcp_v6_connect+0x5b3/0xce0 net/ipv6/tcp_ipv6.c:240
__inet_stream_connect+0x159/0x6d0 net/ipv4/af_inet.c:660
inet_stream_connect+0x44/0x70 net/ipv4/af_inet.c:724
__sys_connect_file net/socket.c:1976 [inline]
__sys_connect+0x197/0x1b0 net/socket.c:1993
__do_sys_connect net/socket.c:2003 [inline]
__se_sys_connect net/socket.c:2000 [inline]
__x64_sys_connect+0x3d/0x50 net/socket.c:2000
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

read to 0xffff88813c624518 of 8 bytes by task 23937 on cpu 1:
tcp_setsockopt+0x147/0x1c80 net/ipv4/tcp.c:3789
sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3585
__sys_setsockopt+0x212/0x2b0 net/socket.c:2252
__do_sys_setsockopt net/socket.c:2263 [inline]
__se_sys_setsockopt net/socket.c:2260 [inline]
__x64_sys_setsockopt+0x62/0x70 net/socket.c:2260
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0xffffffff8539af68 -> 0xffffffff8539aff8

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 23937 Comm: syz-executor.5 Not tainted
6.0.0-rc4-syzkaller-00331-g4ed9c1e971b1-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 08/26/2022

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

BUG=b/324802698
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2022-3566 in the Linux kernel.

CVE-2022-3566
(backported from commit f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57)
[cascardo: small conflict fixup]
cos-patch: security-high
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Luke Nowakowski-Krijger <luke.nowakowskikrijger@canonical.com>
Acked-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Change-Id: I103da3ac74f04c75e0b85f584483bddc9764f303
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/64997
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Arnav Kansal <rnv@google.com>
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
3 files changed
tree: be28d2249fe12af1ab783494b7e24edf3af5061e
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. google/
  9. include/
  10. init/
  11. io_uring/
  12. ipc/
  13. kernel/
  14. lib/
  15. LICENSES/
  16. mm/
  17. net/
  18. samples/
  19. scripts/
  20. security/
  21. sound/
  22. tools/
  23. usr/
  24. virt/
  25. .clang-format
  26. .cocciconfig
  27. .get_maintainer.ignore
  28. .gitattributes
  29. .gitignore
  30. .mailmap
  31. COPYING
  32. CREDITS
  33. Kbuild
  34. Kconfig
  35. MAINTAINERS
  36. Makefile
  37. PRESUBMIT.cfg
  38. README