CVE-2024-50034

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC<br /> <br /> Eric report a panic on IPPROTO_SMC, and give the facts<br /> that when INET_PROTOSW_ICSK was set, icsk-&gt;icsk_sync_mss must be set too.<br /> <br /> Bug: Unable to handle kernel NULL pointer dereference at virtual address<br /> 0000000000000000<br /> Mem abort info:<br /> ESR = 0x0000000086000005<br /> EC = 0x21: IABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x05: level 1 translation fault<br /> user pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000<br /> [0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003,<br /> pud=0000000000000000<br /> Internal error: Oops: 0000000086000005 [#1] PREEMPT SMP<br /> Modules linked in:<br /> CPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted<br /> 6.11.0-rc7-syzkaller-g5f5673607153 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine,<br /> BIOS Google 08/06/2024<br /> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : 0x0<br /> lr : cipso_v4_sock_setattr+0x2a8/0x3c0 net/ipv4/cipso_ipv4.c:1910<br /> sp : ffff80009b887a90<br /> x29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000<br /> x26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00<br /> x23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000<br /> x20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79ee<br /> x17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001<br /> x14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003<br /> x11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1<br /> x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f<br /> x5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000<br /> x2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000<br /> Call trace:<br /> 0x0<br /> netlbl_sock_setattr+0x2e4/0x338 net/netlabel/netlabel_kapi.c:1000<br /> smack_netlbl_add+0xa4/0x154 security/smack/smack_lsm.c:2593<br /> smack_socket_post_create+0xa8/0x14c security/smack/smack_lsm.c:2973<br /> security_socket_post_create+0x94/0xd4 security/security.c:4425<br /> __sock_create+0x4c8/0x884 net/socket.c:1587<br /> sock_create net/socket.c:1622 [inline]<br /> __sys_socket_create net/socket.c:1659 [inline]<br /> __sys_socket+0x134/0x340 net/socket.c:1706<br /> __do_sys_socket net/socket.c:1720 [inline]<br /> __se_sys_socket net/socket.c:1718 [inline]<br /> __arm64_sys_socket+0x7c/0x94 net/socket.c:1718<br /> __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]<br /> invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49<br /> el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132<br /> do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151<br /> el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712<br /> el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730<br /> el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598<br /> Code: ???????? ???????? ???????? ???????? (????????)<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> This patch add a toy implementation that performs a simple return to<br /> prevent such panic. This is because MSS can be set in sock_create_kern<br /> or smc_setsockopt, similar to how it&amp;#39;s done in AF_SMC. However, for<br /> AF_SMC, there is currently no way to synchronize MSS within<br /> __sys_connect_file. This toy implementation lays the groundwork for us<br /> to support such feature for IPPROTO_SMC in the future.