CVE-2024-41048

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> skmsg: Skip zero length skb in sk_msg_recvmsg<br /> <br /> When running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch<br /> platform, the following kernel panic occurs:<br /> <br /> [...]<br /> Oops[#1]:<br /> CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18<br /> Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018<br /> ... ...<br /> ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560<br /> ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0<br /> CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)<br /> PRMD: 0000000c (PPLV0 +PIE +PWE)<br /> EUEN: 00000007 (+FPE +SXE +ASXE -BTE)<br /> ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)<br /> ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)<br /> BADV: 0000000000000040<br /> PRID: 0014c011 (Loongson-64bit, Loongson-3C5000)<br /> Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack<br /> Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)<br /> Stack : ...<br /> Call Trace:<br /> [] copy_page_to_iter+0x74/0x1c0<br /> [] sk_msg_recvmsg+0x120/0x560<br /> [] tcp_bpf_recvmsg_parser+0x170/0x4e0<br /> [] inet_recvmsg+0x54/0x100<br /> [] sock_recvmsg+0x7c/0xe0<br /> [] __sys_recvfrom+0x108/0x1c0<br /> [] sys_recvfrom+0x1c/0x40<br /> [] do_syscall+0x8c/0xc0<br /> [] handle_syscall+0xc4/0x160<br /> Code: ...<br /> ---[ end trace 0000000000000000 ]---<br /> Kernel panic - not syncing: Fatal exception<br /> Kernel relocated by 0x3510000<br /> .text @ 0x9000000003710000<br /> .data @ 0x9000000004d70000<br /> .bss @ 0x9000000006469400<br /> ---[ end Kernel panic - not syncing: Fatal exception ]---<br /> [...]<br /> <br /> This crash happens every time when running sockmap_skb_verdict_shutdown<br /> subtest in sockmap_basic.<br /> <br /> This crash is because a NULL pointer is passed to page_address() in the<br /> sk_msg_recvmsg(). Due to the different implementations depending on the<br /> architecture, page_address(NULL) will trigger a panic on Loongarch<br /> platform but not on x86 platform. So this bug was hidden on x86 platform<br /> for a while, but now it is exposed on Loongarch platform. The root cause<br /> is that a zero length skb (skb-&gt;len == 0) was put on the queue.<br /> <br /> This zero length skb is a TCP FIN packet, which was sent by shutdown(),<br /> invoked in test_sockmap_skb_verdict_shutdown():<br /> <br /> shutdown(p1, SHUT_WR);<br /> <br /> In this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no<br /> page is put to this sge (see sg_set_page in sg_set_page), but this empty<br /> sge is queued into ingress_msg list.<br /> <br /> And in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by<br /> sg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it<br /> to kmap_local_page() and to page_address(), then kernel panics.<br /> <br /> To solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),<br /> if copy is zero, that means it&amp;#39;s a zero length skb, skip invoking<br /> copy_page_to_iter(). We are using the EFAULT return triggered by<br /> copy_page_to_iter to check for is_fin in tcp_bpf.c.