CVE-2021-47304

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized<br /> <br /> This commit fixes a bug (found by syzkaller) that could cause spurious<br /> double-initializations for congestion control modules, which could cause<br /> memory leaks or other problems for congestion control modules (like CDG)<br /> that allocate memory in their init functions.<br /> <br /> The buggy scenario constructed by syzkaller was something like:<br /> <br /> (1) create a TCP socket<br /> (2) initiate a TFO connect via sendto()<br /> (3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),<br /> which calls:<br /> tcp_set_congestion_control() -&gt;<br /> tcp_reinit_congestion_control() -&gt;<br /> tcp_init_congestion_control()<br /> (4) receive ACK, connection is established, call tcp_init_transfer(),<br /> set icsk_ca_initialized=0 (without first calling cc-&gt;release()),<br /> call tcp_init_congestion_control() again.<br /> <br /> Note that in this sequence tcp_init_congestion_control() is called<br /> twice without a cc-&gt;release() call in between. Thus, for CC modules<br /> that allocate memory in their init() function, e.g, CDG, a memory leak<br /> may occur. The syzkaller tool managed to find a reproducer that<br /> triggered such a leak in CDG.<br /> <br /> The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init<br /> congestion control if not initialized already")<br /> introduced icsk_ca_initialized and set icsk_ca_initialized to 0 in<br /> tcp_init_transfer(), missing the possibility for a sequence like the<br /> one above, where a process could call setsockopt(TCP_CONGESTION) in<br /> state TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()),<br /> which would call tcp_init_congestion_control(). It did not intend to<br /> reset any initialization that the user had already explicitly made;<br /> it just missed the possibility of that particular sequence (which<br /> syzkaller managed to find).