CVE-2022-49018 Information

Nov 01, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

mptcp: fix sleep in atomic at close time

Matt reported a splat at msk close time:

BUG: sleeping function called from invalid context at net/mptcp/protocol.c:2877
in_atomic(): 1 irqs_disabled(): 0 non_block: 0 pid: 155 name: packetdrill
preempt_count: 201 expected: 0
RCU nest depth: 0 expected: 0
4 locks held by packetdrill/155:
0: ffff888001536990 (&sb->s_type->i_mutex_key6)+.+.-3:3 at: __sock_release (net/socket.c:650)
1: ffff88800b498130 (sk_lock-AF_INET)+.+.-0:0 at: mptcp_close (net/mptcp/protocol.c:2973)
2: ffff88800b49a130 (sk_lock-AF_INET/1)+.+.-0:0 at: __mptcp_close_ssk (net/mptcp/protocol.c:2363)
3: ffff88800b49a0b0 (slock-AF_INET)+...-2:2 at: __lock_sock_fast (include/net/sock.h:1820)
Preemption disabled at:
0x0
CPU: 1 PID: 155 Comm: packetdrill Not tainted 6.1.0-rc5 365
Hardware name: QEMU Standard PC (i440FX + PIIX 1996) BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
__might_resched.cold (kernel/sched/core.c:9891)
__mptcp_destroy_sock (include/linux/kernel.h:110)
__mptcp_close (net/mptcp/protocol.c:2959)
mptcp_subflow_queue_clean (include/net/sock.h:1777)
__mptcp_close_ssk (net/mptcp/protocol.c:2363)
mptcp_destroy_common (net/mptcp/protocol.c:3170)
mptcp_destroy (include/net/sock.h:1495)
__mptcp_destroy_sock (net/mptcp/protocol.c:2886)
__mptcp_close (net/mptcp/protocol.c:2959)
mptcp_close (net/mptcp/protocol.c:2974)
inet_release (net/ipv4/af_inet.c:432)
__sock_release (net/socket.c:651)
sock_close (net/socket.c:1367)
__fput (fs/file_table.c:320)
task_work_run (kernel/task_work.c:181 (discriminator 1))
exit_to_user_mode_prepare (include/linux/resume_user_mode.h:49)
syscall_exit_to_user_mode (kernel/entry/common.c:130)
do_syscall_64 (arch/x86/entry/common.c:87)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)

We can’t call mptcp_close under the ‘fast’ socket lock variant replace it with a sock_lock_nested() as the relevant code is already under the listening msk socket lock protection.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Reference

https://git.kernel.org/stable/c/d8e6c5500dbf0f3e87aace90d4beba6ae928e866 https://git.kernel.org/stable/c/b4f166651d03b5484fa179817ba8ad4899a5a6ac

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

5.5

Share on: