CVE-2021-47370

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: ensure tx skbs always have the MPTCP ext<br /> <br /> Due to signed/unsigned comparison, the expression:<br /> <br /> info-&gt;size_goal - skb-&gt;len &gt; 0<br /> <br /> evaluates to true when the size goal is smaller than the<br /> skb size. That results in lack of tx cache refill, so that<br /> the skb allocated by the core TCP code lacks the required<br /> MPTCP skb extensions.<br /> <br /> Due to the above, syzbot is able to trigger the following WARN_ON():<br /> <br /> WARNING: CPU: 1 PID: 810 at net/mptcp/protocol.c:1366 mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366<br /> Modules linked in:<br /> CPU: 1 PID: 810 Comm: syz-executor.4 Not tainted 5.14.0-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br /> RIP: 0010:mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366<br /> Code: ff 4c 8b 74 24 50 48 8b 5c 24 58 e9 0f fb ff ff e8 13 44 8b f8 4c 89 e7 45 31 ed e8 98 57 2e fe e9 81 f4 ff ff e8 fe 43 8b f8 0b 41 bd ea ff ff ff e9 6f f4 ff ff 4c 89 e7 e8 b9 8e d2 f8 e9<br /> RSP: 0018:ffffc9000531f6a0 EFLAGS: 00010216<br /> RAX: 000000000000697f RBX: 0000000000000000 RCX: ffffc90012107000<br /> RDX: 0000000000040000 RSI: ffffffff88eac9e2 RDI: 0000000000000003<br /> RBP: ffff888078b15780 R08: 0000000000000000 R09: 0000000000000000<br /> R10: ffffffff88eac017 R11: 0000000000000000 R12: ffff88801de0a280<br /> R13: 0000000000006b58 R14: ffff888066278280 R15: ffff88803c2fe9c0<br /> FS: 00007fd9f866e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007faebcb2f718 CR3: 00000000267cb000 CR4: 00000000001506e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> __mptcp_push_pending+0x1fb/0x6b0 net/mptcp/protocol.c:1547<br /> mptcp_release_cb+0xfe/0x210 net/mptcp/protocol.c:3003<br /> release_sock+0xb4/0x1b0 net/core/sock.c:3206<br /> sk_stream_wait_memory+0x604/0xed0 net/core/stream.c:145<br /> mptcp_sendmsg+0xc39/0x1bc0 net/mptcp/protocol.c:1749<br /> inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:643<br /> sock_sendmsg_nosec net/socket.c:704 [inline]<br /> sock_sendmsg+0xcf/0x120 net/socket.c:724<br /> sock_write_iter+0x2a0/0x3e0 net/socket.c:1057<br /> call_write_iter include/linux/fs.h:2163 [inline]<br /> new_sync_write+0x40b/0x640 fs/read_write.c:507<br /> vfs_write+0x7cf/0xae0 fs/read_write.c:594<br /> ksys_write+0x1ee/0x250 fs/read_write.c:647<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x4665f9<br /> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007fd9f866e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001<br /> RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665f9<br /> RDX: 00000000000e7b78 RSI: 0000000020000000 RDI: 0000000000000003<br /> RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038<br /> R13: 0000000000a9fb1f R14: 00007fd9f866e300 R15: 0000000000022000<br /> <br /> Fix the issue rewriting the relevant expression to avoid<br /> sign-related problems - note: size_goal is always &gt;= 0.<br /> <br /> Additionally, ensure that the skb in the tx cache always carries<br /> the relevant extension.