Bug 1224514 (CVE-2024-35894)

Summary: VUL-0: CVE-2024-35894: kernel: mptcp: prevent BPF accessing lowat from a subflow socket.
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gabriele.sonnu, jlee
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/406583/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-20 13:27:09 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mptcp: prevent BPF accessing lowat from a subflow socket.

Alexei reported the following splat:

 WARNING: CPU: 32 PID: 3276 at net/mptcp/subflow.c:1430 subflow_data_ready+0x147/0x1c0
 Modules linked in: dummy bpf_testmod(O) [last unloaded: bpf_test_no_cfi(O)]
 CPU: 32 PID: 3276 Comm: test_progs Tainted: GO       6.8.0-12873-g2c43c33bfd23
 Call Trace:
  <TASK>
  mptcp_set_rcvlowat+0x79/0x1d0
  sk_setsockopt+0x6c0/0x1540
  __bpf_setsockopt+0x6f/0x90
  bpf_sock_ops_setsockopt+0x3c/0x90
  bpf_prog_509ce5db2c7f9981_bpf_test_sockopt_int+0xb4/0x11b
  bpf_prog_dce07e362d941d2b_bpf_test_socket_sockopt+0x12b/0x132
  bpf_prog_348c9b5faaf10092_skops_sockopt+0x954/0xe86
  __cgroup_bpf_run_filter_sock_ops+0xbc/0x250
  tcp_connect+0x879/0x1160
  tcp_v6_connect+0x50c/0x870
  mptcp_connect+0x129/0x280
  __inet_stream_connect+0xce/0x370
  inet_stream_connect+0x36/0x50
  bpf_trampoline_6442491565+0x49/0xef
  inet_stream_connect+0x5/0x50
  __sys_connect+0x63/0x90
  __x64_sys_connect+0x14/0x20

The root cause of the issue is that bpf allows accessing mptcp-level
proto_ops from a tcp subflow scope.

Fix the issue detecting the problematic call and preventing any action.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35894
https://www.cve.org/CVERecord?id=CVE-2024-35894
https://git.kernel.org/stable/c/3ffb1ab698376f09cc33101c07c1be229389fe29
https://git.kernel.org/stable/c/fcf4692fa39e86a590c14a4af2de704e1d20a3b5
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-35894.mbox
Comment 1 Joey Lee 2024-05-23 07:00:14 UTC 
joeyli@linux-691t:/mnt/working/source_code-git/kernel-source> ./scripts/check-kernel-fix -s 0 CVE-2024-35894
fcf4692fa39e ("mptcp: prevent BPF accessing lowat from a subflow socket.") merged v6.9-rc3~30^2~26
Fixes: 5684ab1a0eff ("mptcp: give rcvlowat some love") merged v6.7-rc1~160^2~34^2~4
Security fix for CVE-2024-35894 bsc#1224514 with CVSS 0
Experts candidates: mkubecek@suse.cz denis.kirjanov@suse.com davide.benini@suse.com 
..............................
NO ACTION NEEDED: All relevant branches contain the fix!

Does not affect any branch. reset assignee
Comment 2 Andrea Mattiazzo 2024-05-23 15:53:15 UTC 
All done, closing.