Description
In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso packets in sctp_rcv A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 __release_sock+0x1da/0x330 net/core/sock.c:3106 release_sock+0x6b/0x250 net/core/sock.c:3660 sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:718 [inline] and BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] This patch fixes it by linearizing cloned gso packets in sctp_rcv().
Product status
90017accff61ae89283ad9a51f9ac46ca01633fb (git) before d0194e391bb493aa6cec56d177b14df6b29188d5
90017accff61ae89283ad9a51f9ac46ca01633fb (git) before 03d0cc6889e02420125510b5444b570f4bbf53d5
90017accff61ae89283ad9a51f9ac46ca01633fb (git) before cd0e92bb2b7542fb96397ffac639b4f5b099d0cb
90017accff61ae89283ad9a51f9ac46ca01633fb (git) before ea094f38d387d1b0ded5dee4a3e5720aa4ce0139
90017accff61ae89283ad9a51f9ac46ca01633fb (git) before 7d757f17bc2ef2727994ffa6d5d6e4bc4789a770
90017accff61ae89283ad9a51f9ac46ca01633fb (git) before fc66772607101bd2030a4332b3bd0ea3b3605250
90017accff61ae89283ad9a51f9ac46ca01633fb (git) before 1bd5214ea681584c5886fea3ba03e49f93a43c0e
90017accff61ae89283ad9a51f9ac46ca01633fb (git) before fd60d8a086191fe33c2d719732d2482052fa6805
4.8
Any version before 4.8
5.4.297 (semver)
5.10.241 (semver)
5.15.190 (semver)
6.6.103 (semver)
6.12.43 (semver)
6.15.11 (semver)
6.16.2 (semver)
6.17 (original_commit_for_fix)
References
git.kernel.org/...c/d0194e391bb493aa6cec56d177b14df6b29188d5
git.kernel.org/...c/03d0cc6889e02420125510b5444b570f4bbf53d5
git.kernel.org/...c/cd0e92bb2b7542fb96397ffac639b4f5b099d0cb
git.kernel.org/...c/ea094f38d387d1b0ded5dee4a3e5720aa4ce0139
git.kernel.org/...c/7d757f17bc2ef2727994ffa6d5d6e4bc4789a770
git.kernel.org/...c/fc66772607101bd2030a4332b3bd0ea3b3605250
git.kernel.org/...c/1bd5214ea681584c5886fea3ba03e49f93a43c0e
git.kernel.org/...c/fd60d8a086191fe33c2d719732d2482052fa6805
