fkie_cve-2022-49372
Vulnerability from fkie_nvd
Published
2025-02-26 07:01
Modified
2025-02-26 07:01
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: tcp_rtx_synack() can be called from process context
Laurent reported the enclosed report [1]
This bug triggers with following coditions:
0) Kernel built with CONFIG_DEBUG_PREEMPT=y
1) A new passive FastOpen TCP socket is created.
This FO socket waits for an ACK coming from client to be a complete
ESTABLISHED one.
2) A socket operation on this socket goes through lock_sock()
release_sock() dance.
3) While the socket is owned by the user in step 2),
a retransmit of the SYN is received and stored in socket backlog.
4) At release_sock() time, the socket backlog is processed while
in process context.
5) A SYNACK packet is cooked in response of the SYN retransmit.
6) -> tcp_rtx_synack() is called in process context.
Before blamed commit, tcp_rtx_synack() was always called from BH handler,
from a timer handler.
Fix this by using TCP_INC_STATS() & NET_INC_STATS()
which do not assume caller is in non preemptible context.
[1]
BUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180
caller is tcp_rtx_synack.part.0+0x36/0xc0
CPU: 10 PID: 2180 Comm: epollpep Tainted: G OE 5.16.0-0.bpo.4-amd64 #1 Debian 5.16.12-1~bpo11+1
Hardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021
Call Trace:
<TASK>
dump_stack_lvl+0x48/0x5e
check_preemption_disabled+0xde/0xe0
tcp_rtx_synack.part.0+0x36/0xc0
tcp_rtx_synack+0x8d/0xa0
? kmem_cache_alloc+0x2e0/0x3e0
? apparmor_file_alloc_security+0x3b/0x1f0
inet_rtx_syn_ack+0x16/0x30
tcp_check_req+0x367/0x610
tcp_rcv_state_process+0x91/0xf60
? get_nohz_timer_target+0x18/0x1a0
? lock_timer_base+0x61/0x80
? preempt_count_add+0x68/0xa0
tcp_v4_do_rcv+0xbd/0x270
__release_sock+0x6d/0xb0
release_sock+0x2b/0x90
sock_setsockopt+0x138/0x1140
? __sys_getsockname+0x7e/0xc0
? aa_sk_perm+0x3e/0x1a0
__sys_setsockopt+0x198/0x1e0
__x64_sys_setsockopt+0x21/0x30
do_syscall_64+0x38/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: tcp_rtx_synack() can be called from process context\n\nLaurent reported the enclosed report [1]\n\nThis bug triggers with following coditions:\n\n0) Kernel built with CONFIG_DEBUG_PREEMPT=y\n\n1) A new passive FastOpen TCP socket is created.\n This FO socket waits for an ACK coming from client to be a complete\n ESTABLISHED one.\n2) A socket operation on this socket goes through lock_sock()\n release_sock() dance.\n3) While the socket is owned by the user in step 2),\n a retransmit of the SYN is received and stored in socket backlog.\n4) At release_sock() time, the socket backlog is processed while\n in process context.\n5) A SYNACK packet is cooked in response of the SYN retransmit.\n6) -\u003e tcp_rtx_synack() is called in process context.\n\nBefore blamed commit, tcp_rtx_synack() was always called from BH handler,\nfrom a timer handler.\n\nFix this by using TCP_INC_STATS() \u0026 NET_INC_STATS()\nwhich do not assume caller is in non preemptible context.\n\n[1]\nBUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180\ncaller is tcp_rtx_synack.part.0+0x36/0xc0\nCPU: 10 PID: 2180 Comm: epollpep Tainted: G OE 5.16.0-0.bpo.4-amd64 #1 Debian 5.16.12-1~bpo11+1\nHardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x48/0x5e\n check_preemption_disabled+0xde/0xe0\n tcp_rtx_synack.part.0+0x36/0xc0\n tcp_rtx_synack+0x8d/0xa0\n ? kmem_cache_alloc+0x2e0/0x3e0\n ? apparmor_file_alloc_security+0x3b/0x1f0\n inet_rtx_syn_ack+0x16/0x30\n tcp_check_req+0x367/0x610\n tcp_rcv_state_process+0x91/0xf60\n ? get_nohz_timer_target+0x18/0x1a0\n ? lock_timer_base+0x61/0x80\n ? preempt_count_add+0x68/0xa0\n tcp_v4_do_rcv+0xbd/0x270\n __release_sock+0x6d/0xb0\n release_sock+0x2b/0x90\n sock_setsockopt+0x138/0x1140\n ? __sys_getsockname+0x7e/0xc0\n ? aa_sk_perm+0x3e/0x1a0\n __sys_setsockopt+0x198/0x1e0\n __x64_sys_setsockopt+0x21/0x30\n do_syscall_64+0x38/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: tcp_rtx_synack() puede ser llamado desde el contexto del proceso Laurent report\u00f3 el informe adjunto [1] Este error se activa con las siguientes condiciones: 0) Kernel construido con CONFIG_DEBUG_PREEMPT=y 1) Se crea un nuevo socket TCP FastOpen pasivo. Este socket FO espera un ACK proveniente del cliente para ser un ACK ESTABLISHED completo. 2) Una operaci\u00f3n de socket en este socket pasa por el baile lock_sock() release_sock(). 3) Mientras el socket es propiedad del usuario en el paso 2), se recibe una retransmisi\u00f3n del SYN y se almacena en el backlog del socket. 4) En el momento release_sock(), el backlog del socket se procesa mientras est\u00e1 en el contexto del proceso. 5) Se cocina un paquete SYNACK en respuesta a la retransmisi\u00f3n de SYN. 6) -\u0026gt; tcp_rtx_synack() se llama en el contexto del proceso. Antes de el commit con culpa, tcp_rtx_synack() siempre se llamaba desde el controlador BH, desde un controlador de temporizador. Corrija esto usando TCP_INC_STATS() y NET_INC_STATS() que no asumen que el llamador est\u00e1 en un contexto no preemptible. [1] BUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180 caller is tcp_rtx_synack.part.0+0x36/0xc0 CPU: 10 PID: 2180 Comm: epollpep Tainted: G OE 5.16.0-0.bpo.4-amd64 #1 Debian 5.16.12-1~bpo11+1 Hardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021 Call Trace: dump_stack_lvl+0x48/0x5e check_preemption_disabled+0xde/0xe0 tcp_rtx_synack.part.0+0x36/0xc0 tcp_rtx_synack+0x8d/0xa0 ? kmem_cache_alloc+0x2e0/0x3e0 ? apparmor_file_alloc_security+0x3b/0x1f0 inet_rtx_syn_ack+0x16/0x30 tcp_check_req+0x367/0x610 tcp_rcv_state_process+0x91/0xf60 ? get_nohz_timer_target+0x18/0x1a0 ? lock_timer_base+0x61/0x80 ? preempt_count_add+0x68/0xa0 tcp_v4_do_rcv+0xbd/0x270 __release_sock+0x6d/0xb0 release_sock+0x2b/0x90 sock_setsockopt+0x138/0x1140 ? __sys_getsockname+0x7e/0xc0 ? aa_sk_perm+0x3e/0x1a0 __sys_setsockopt+0x198/0x1e0 __x64_sys_setsockopt+0x21/0x30 do_syscall_64+0x38/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae "
}
],
"id": "CVE-2022-49372",
"lastModified": "2025-02-26T07:01:13.870",
"metrics": {},
"published": "2025-02-26T07:01:13.870",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/0a0f7f84148445c9f02f226928803a870139d820"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/0a375c822497ed6ad6b5da0792a12a6f1af10c0b"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/3db889f883e65bbd3b1401279bfc1e9ed255c481"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/58bd38cbc961fd799842b7be8c5222310f04b908"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/88cd232146207ff1d41dededed5e77c0d4438113"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/bdc28a8fb43cc476e33b11519235adb816ce00e8"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/c348b0f8d035fc4bdc040796889beec7218bd1b8"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/d05c2fdf8e10528bb6751bd95243e862d5402a9b"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/d8e1bc6029acac796293310aacef7b7336f35b6a"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Awaiting Analysis"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…