CVE-2021-47544

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: fix page frag corruption on page fault<br /> <br /> Steffen reported a TCP stream corruption for HTTP requests<br /> served by the apache web-server using a cifs mount-point<br /> and memory mapping the relevant file.<br /> <br /> The root cause is quite similar to the one addressed by<br /> commit 20eb4f29b602 ("net: fix sk_page_frag() recursion from<br /> memory reclaim"). Here the nested access to the task page frag<br /> is caused by a page fault on the (mmapped) user-space memory<br /> buffer coming from the cifs file.<br /> <br /> The page fault handler performs an smb transaction on a different<br /> socket, inside the same process context. Since sk-&gt;sk_allaction<br /> for such socket does not prevent the usage for the task_frag,<br /> the nested allocation modify "under the hood" the page frag<br /> in use by the outer sendmsg call, corrupting the stream.<br /> <br /> The overall relevant stack trace looks like the following:<br /> <br /> httpd 78268 [001] 3461630.850950: probe:tcp_sendmsg_locked:<br /> ffffffff91461d91 tcp_sendmsg_locked+0x1<br /> ffffffff91462b57 tcp_sendmsg+0x27<br /> ffffffff9139814e sock_sendmsg+0x3e<br /> ffffffffc06dfe1d smb_send_kvec+0x28<br /> [...]<br /> ffffffffc06cfaf8 cifs_readpages+0x213<br /> ffffffff90e83c4b read_pages+0x6b<br /> ffffffff90e83f31 __do_page_cache_readahead+0x1c1<br /> ffffffff90e79e98 filemap_fault+0x788<br /> ffffffff90eb0458 __do_fault+0x38<br /> ffffffff90eb5280 do_fault+0x1a0<br /> ffffffff90eb7c84 __handle_mm_fault+0x4d4<br /> ffffffff90eb8093 handle_mm_fault+0xc3<br /> ffffffff90c74f6d __do_page_fault+0x1ed<br /> ffffffff90c75277 do_page_fault+0x37<br /> ffffffff9160111e page_fault+0x1e<br /> ffffffff9109e7b5 copyin+0x25<br /> ffffffff9109eb40 _copy_from_iter_full+0xe0<br /> ffffffff91462370 tcp_sendmsg_locked+0x5e0<br /> ffffffff91462370 tcp_sendmsg_locked+0x5e0<br /> ffffffff91462b57 tcp_sendmsg+0x27<br /> ffffffff9139815c sock_sendmsg+0x4c<br /> ffffffff913981f7 sock_write_iter+0x97<br /> ffffffff90f2cc56 do_iter_readv_writev+0x156<br /> ffffffff90f2dff0 do_iter_write+0x80<br /> ffffffff90f2e1c3 vfs_writev+0xa3<br /> ffffffff90f2e27c do_writev+0x5c<br /> ffffffff90c042bb do_syscall_64+0x5b<br /> ffffffff916000ad entry_SYSCALL_64_after_hwframe+0x65<br /> <br /> The cifs filesystem rightfully sets sk_allocations to GFP_NOFS,<br /> we can avoid the nesting using the sk page frag for allocation<br /> lacking the __GFP_FS flag. Do not define an additional mm-helper<br /> for that, as this is strictly tied to the sk page frag usage.<br /> <br /> v1 -&gt; v2:<br /> - use a stricted sk_page_frag() check instead of reordering the<br /> code (Eric)