CVE-2021-4442 Information

Description

In the Linux kernel the following vulnerability has been resolved:

tcp: add sanity tests to TCP_QUEUE_SEQ

Qingyu Li reported a syzkaller bug where the repro changes RCV SEQ after restoring data in the receive queue.

mprotect(0x4aa000 12288 PROT_READ) = 0 mmap(0x1ffff000 4096 PROT_NONE MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS -1 0) = 0x1ffff000 mmap(0x20000000 16777216 PROT_READ|PROT_WRITE|PROT_EXEC MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS -1 0) = 0x20000000 mmap(0x21000000 4096 PROT_NONE MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS -1 0) = 0x21000000 socket(AF_INET6 SOCK_STREAM IPPROTO_IP) = 3 setsockopt(3 SOL_TCP TCP_REPAIR [1] 4) = 0 connect(3 sa_family=AF_INET6 sin6_port=htons(0) sin6_flowinfo=htonl(0) inet_pton(AF_INET6 ::1\ &sin6_addr) sin6_scope_id=0 28) = 0 setsockopt(3 SOL_TCP TCP_REPAIR_QUEUE [1] 4) = 0 sendmsg(3 msg_name=NULL msg_namelen=0 msg_iov=[iov_base=�00000000000003\0\0\ iov_len=20] msg_iovlen=1 msg_controllen=0 msg_flags=0 0) = 20 setsockopt(3 SOL_TCP TCP_REPAIR [0] 4) = 0 setsockopt(3 SOL_TCP TCP_QUEUE_SEQ [128] 4) = 0 recvfrom(3 NULL 20 0 NULL NULL) = -1 ECONNRESET (Connection reset by peer)

syslog shows: [ 111.205099] TCP recvmsg seq bug 2: copied 80 seq 0 rcvnxt 80 fl 0 [ 111.207894] WARNING: CPU: 1 PID: 356 at net/ipv4/tcp.c:2343 tcp_recvmsg_locked+0x90e/0x29a0

This should not be allowed. TCP_QUEUE_SEQ should only be used when queues are empty.

This patch fixes this case and the tx path as well.

Reference

https://git.kernel.org/stable/c/319f460237fc2965a80aa9a055044e1da7b3692a https://git.kernel.org/stable/c/3bf899438c123c444f6b644a57784dfbb6b15ad6 https://git.kernel.org/stable/c/046f3c1c2ff450fb7ae53650e9a95e0074a61f3e https://git.kernel.org/stable/c/3b72d5a703842f582502d97906f17d6ee122dac2 https://git.kernel.org/stable/c/8811f4a9836e31c14ecdf79d9f3cb7c5d463265d