Bug 2143893 (CVE-2022-3566) - CVE-2022-3566 kernel: data races around icsk->icsk_af_ops in do_ipv6_setsockopt
Summary: CVE-2022-3566 kernel: data races around icsk->icsk_af_ops in do_ipv6_setsockopt
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-3566
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2135319 2143902 2143903 2143904 2143905
Blocks: 2143896
TreeView+ depends on / blocked
 
Reported: 2022-11-18 09:03 UTC by Rohit Keshri
Modified: 2023-05-16 21:43 UTC (History)
50 users (show)

Fixed In Version: kernel 6.1 RC1
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the tcp subsystem in the Linux Kernel, due to a data race around icsk->icsk_af_ops. This issue could allow an attacker to leak internal kernel information.
Clone Of:
Environment:
Last Closed: 2023-05-16 21:43:22 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:2148 0 None None None 2023-05-09 07:12:17 UTC
Red Hat Product Errata RHSA-2023:2458 0 None None None 2023-05-09 07:51:58 UTC
Red Hat Product Errata RHSA-2023:2736 0 None None None 2023-05-16 08:05:39 UTC
Red Hat Product Errata RHSA-2023:2951 0 None None None 2023-05-16 08:34:25 UTC

Description Rohit Keshri 2022-11-18 09:03:48 UTC 
setsockopt(IPV6_ADDRFORM) and tcp_v6_connect() change icsk->icsk_af_ops
under lock_sock(), but tcp_(get|set)sockopt() read it locklessly causes 
data-race in tcp_setsockopt / tcp_v6_connect

Crash:
******
BUG: KCSAN: data-race in tcp_setsockopt / tcp_v6_connect

write to 0xffff88813c624518 of 8 bytes by task 23936 on cpu 0:
tcp_v6_connect+0x5b3/0xce0 net/ipv6/tcp_ipv6.c:240
__inet_stream_connect+0x159/0x6d0 net/ipv4/af_inet.c:660
inet_stream_connect+0x44/0x70 net/ipv4/af_inet.c:724
__sys_connect_file net/socket.c:1976 [inline]
__sys_connect+0x197/0x1b0 net/socket.c:1993
__do_sys_connect net/socket.c:2003 [inline]
__se_sys_connect net/socket.c:2000 [inline]
__x64_sys_connect+0x3d/0x50 net/socket.c:2000
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

read to 0xffff88813c624518 of 8 bytes by task 23937 on cpu 1:
tcp_setsockopt+0x147/0x1c80 net/ipv4/tcp.c:3789
sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3585
__sys_setsockopt+0x212/0x2b0 net/socket.c:2252
__do_sys_setsockopt net/socket.c:2263 [inline]
__se_sys_setsockopt net/socket.c:2260 [inline]
__x64_sys_setsockopt+0x62/0x70 net/socket.c:2260
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
Comment 8 errata-xmlrpc 2023-05-09 07:12:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2148 https://access.redhat.com/errata/RHSA-2023:2148
Comment 9 errata-xmlrpc 2023-05-09 07:51:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2458 https://access.redhat.com/errata/RHSA-2023:2458
Comment 10 errata-xmlrpc 2023-05-16 08:05:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2736 https://access.redhat.com/errata/RHSA-2023:2736
Comment 11 errata-xmlrpc 2023-05-16 08:34:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2951 https://access.redhat.com/errata/RHSA-2023:2951
Comment 12 Product Security DevOps Team 2023-05-16 21:43:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3566
Note You need to log in before you can comment on or make changes to this bug.