CVE-2023-52701

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: use a bounce buffer for copying skb-&gt;mark<br /> <br /> syzbot found arm64 builds would crash in sock_recv_mark()<br /> when CONFIG_HARDENED_USERCOPY=y<br /> <br /> x86 and powerpc are not detecting the issue because<br /> they define user_access_begin.<br /> This will be handled in a different patch,<br /> because a check_object_size() is missing.<br /> <br /> Only data from skb-&gt;cb[] can be copied directly to/from user space,<br /> as explained in commit 79a8a642bf05 ("net: Whitelist<br /> the skbuff_head_cache "cb" field")<br /> <br /> syzbot report was:<br /> usercopy: Kernel memory exposure attempt detected from SLUB object &amp;#39;skbuff_head_cache&amp;#39; (offset 168, size 4)!<br /> ------------[ cut here ]------------<br /> kernel BUG at mm/usercopy.c:102 !<br /> Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP<br /> Modules linked in:<br /> CPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023<br /> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : usercopy_abort+0x90/0x94 mm/usercopy.c:90<br /> lr : usercopy_abort+0x90/0x94 mm/usercopy.c:90<br /> sp : ffff80000fb9b9a0<br /> x29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00<br /> x26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000<br /> x23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8<br /> x20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000<br /> x17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118<br /> x14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400<br /> x11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00<br /> x8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000<br /> x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000<br /> x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c<br /> Call trace:<br /> usercopy_abort+0x90/0x94 mm/usercopy.c:90<br /> __check_heap_object+0xa8/0x100 mm/slub.c:4761<br /> check_heap_object mm/usercopy.c:196 [inline]<br /> __check_object_size+0x208/0x6b8 mm/usercopy.c:251<br /> check_object_size include/linux/thread_info.h:199 [inline]<br /> __copy_to_user include/linux/uaccess.h:115 [inline]<br /> put_cmsg+0x408/0x464 net/core/scm.c:238<br /> sock_recv_mark net/socket.c:975 [inline]<br /> __sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984<br /> sock_recv_cmsgs include/net/sock.h:2728 [inline]<br /> packet_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482<br /> ____sys_recvmsg+0x110/0x3a0<br /> ___sys_recvmsg net/socket.c:2737 [inline]<br /> __sys_recvmsg+0x194/0x210 net/socket.c:2767<br /> __do_sys_recvmsg net/socket.c:2777 [inline]<br /> __se_sys_recvmsg net/socket.c:2774 [inline]<br /> __arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774<br /> __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]<br /> invoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52<br /> el0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142<br /> do_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193<br /> el0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637<br /> el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655<br /> el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591<br /> Code: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000)