1224971 – (CVE-2021-47304) VUL-0: CVE-2021-47304: kernel: tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized

Bug 1224971 (CVE-2021-47304) - VUL-0: CVE-2021-47304: kernel: tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized

Summary: VUL-0: CVE-2021-47304: kernel: tcp: fix tcp_init_transfer() to not reset icsk...

Status:	RESOLVED FIXED

Alias:	CVE-2021-47304

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/406938/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-05-22 12:35 UTC by SMASH SMASH
Modified:	2024-06-10 12:57 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-05-22 12:35:10 UTC

In the Linux kernel, the following vulnerability has been resolved:

tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized

This commit fixes a bug (found by syzkaller) that could cause spurious
double-initializations for congestion control modules, which could cause
memory leaks or other problems for congestion control modules (like CDG)
that allocate memory in their init functions.

The buggy scenario constructed by syzkaller was something like:

(1) create a TCP socket
(2) initiate a TFO connect via sendto()
(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),
    which calls:
       tcp_set_congestion_control() ->
         tcp_reinit_congestion_control() ->
           tcp_init_congestion_control()
(4) receive ACK, connection is established, call tcp_init_transfer(),
    set icsk_ca_initialized=0 (without first calling cc->release()),
    call tcp_init_congestion_control() again.

Note that in this sequence tcp_init_congestion_control() is called
twice without a cc->release() call in between. Thus, for CC modules
that allocate memory in their init() function, e.g, CDG, a memory leak
may occur. The syzkaller tool managed to find a reproducer that
triggered such a leak in CDG.

The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init
congestion control if not initialized already")
introduced icsk_ca_initialized and set icsk_ca_initialized to 0 in
tcp_init_transfer(), missing the possibility for a sequence like the
one above, where a process could call setsockopt(TCP_CONGESTION) in
state TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()),
which would call tcp_init_congestion_control(). It did not intend to
reset any initialization that the user had already explicitly made;
it just missed the possibility of that particular sequence (which
syzkaller managed to find).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47304
https://www.cve.org/CVERecord?id=CVE-2021-47304
https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7
https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc
https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2021/CVE-2021-47304.mbox

Comment 2 Michal Hocko 2024-05-24 17:52:45 UTC

nothing to be done

Comment 3 Gabriele Sonnu 2024-06-10 12:57:20 UTC

All done, closing.