CVE-2023-52523
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
02/03/2024
Last modified:
13/01/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets<br />
<br />
With a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages<br />
sent from one TCP socket (s1) to actually egress from another TCP<br />
socket (s2):<br />
<br />
tcp_bpf_sendmsg(s1) // = sk_prot->sendmsg<br />
tcp_bpf_send_verdict(s1) // __SK_REDIRECT case<br />
tcp_bpf_sendmsg_redir(s2)<br />
tcp_bpf_push_locked(s2)<br />
tcp_bpf_push(s2)<br />
tcp_rate_check_app_limited(s2) // expects tcp_sock<br />
tcp_sendmsg_locked(s2) // ditto<br />
<br />
There is a hard-coded assumption in the call-chain, that the egress<br />
socket (s2) is a TCP socket.<br />
<br />
However in commit 122e6c79efe1 ("sock_map: Update sock type checks for<br />
UDP") we have enabled redirects to non-TCP sockets. This was done for the<br />
sake of BPF sk_skb programs. There was no indention to support sk_msg<br />
send-to-egress use case.<br />
<br />
As a result, attempts to send-to-egress through a non-TCP socket lead to a<br />
crash due to invalid downcast from sock to tcp_sock:<br />
<br />
BUG: kernel NULL pointer dereference, address: 000000000000002f<br />
...<br />
Call Trace:<br />
<br />
? show_regs+0x60/0x70<br />
? __die+0x1f/0x70<br />
? page_fault_oops+0x80/0x160<br />
? do_user_addr_fault+0x2d7/0x800<br />
? rcu_is_watching+0x11/0x50<br />
? exc_page_fault+0x70/0x1c0<br />
? asm_exc_page_fault+0x27/0x30<br />
? tcp_tso_segs+0x14/0xa0<br />
tcp_write_xmit+0x67/0xce0<br />
__tcp_push_pending_frames+0x32/0xf0<br />
tcp_push+0x107/0x140<br />
tcp_sendmsg_locked+0x99f/0xbb0<br />
tcp_bpf_push+0x19d/0x3a0<br />
tcp_bpf_sendmsg_redir+0x55/0xd0<br />
tcp_bpf_send_verdict+0x407/0x550<br />
tcp_bpf_sendmsg+0x1a1/0x390<br />
inet_sendmsg+0x6a/0x70<br />
sock_sendmsg+0x9d/0xc0<br />
? sockfd_lookup_light+0x12/0x80<br />
__sys_sendto+0x10e/0x160<br />
? syscall_enter_from_user_mode+0x20/0x60<br />
? __this_cpu_preempt_check+0x13/0x20<br />
? lockdep_hardirqs_on+0x82/0x110<br />
__x64_sys_sendto+0x1f/0x30<br />
do_syscall_64+0x38/0x90<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
<br />
Reject selecting a non-TCP sockets as redirect target from a BPF sk_msg<br />
program to prevent the crash. When attempted, user will receive an EACCES<br />
error from send/sendto/sendmsg() syscall.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.13 (including) | 5.15.135 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.57 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.5.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.6:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.6:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/b80e31baa43614e086a9d29dc1151932b1bd7fc5
- https://git.kernel.org/stable/c/b8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2
- https://git.kernel.org/stable/c/bc8b89b6963803a123f64aa9494155a037b3d728
- https://git.kernel.org/stable/c/ded6e448028f0f91b6af35985afca01fa02a9089
- https://git.kernel.org/stable/c/b80e31baa43614e086a9d29dc1151932b1bd7fc5
- https://git.kernel.org/stable/c/b8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2
- https://git.kernel.org/stable/c/bc8b89b6963803a123f64aa9494155a037b3d728
- https://git.kernel.org/stable/c/ded6e448028f0f91b6af35985afca01fa02a9089