Bug 1221550 (CVE-2021-47132)

Summary: VUL-0: CVE-2021-47132: kernel: mptcp: sk_forward_memory corruption on retransmission
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, osalvador
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/397866/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-47132:6.3:(AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-18 08:38:01 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix sk_forward_memory corruption on retransmission

MPTCP sk_forward_memory handling is a bit special, as such field
is protected by the msk socket spin_lock, instead of the plain
socket lock.

Currently we have a code path updating such field without handling
the relevant lock:

__mptcp_retrans() -> __mptcp_clean_una_wakeup()

Several helpers in __mptcp_clean_una_wakeup() will update
sk_forward_alloc, possibly causing such field corruption, as reported
by Matthieu.

Address the issue providing and using a new variant of blamed function
which explicitly acquires the msk spin lock.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47132
https://www.cve.org/CVERecord?id=CVE-2021-47132
https://git.kernel.org/stable/c/b5941f066b4ca331db225a976dae1d6ca8cf0ae3
https://git.kernel.org/stable/c/b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3
https://bugzilla.redhat.com/show_bug.cgi?id=2269818
Comment 1 Carlos López 2024-03-18 08:38:30 UTC 
Already fixed in cve/linux-5.14 and newer. cve/linux-5.3 and older are not affected.
Comment 3 Gabriele Sonnu 2024-06-07 13:39:37 UTC 
All done, closing.