{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix page frag corruption on page fault\n\nSteffen reported a TCP stream corruption for HTTP requests\nserved by the apache web-server using a cifs mount-point\nand memory mapping the relevant file.\n\nThe root cause is quite similar to the one addressed by\ncommit 20eb4f29b602 (\"net: fix sk_page_frag() recursion from\nmemory reclaim\"). Here the nested access to the task page frag\nis caused by a page fault on the (mmapped) user-space memory\nbuffer coming from the cifs file.\n\nThe page fault handler performs an smb transaction on a different\nsocket, inside the same process context. Since sk->sk_allaction\nfor such socket does not prevent the usage for the task_frag,\nthe nested allocation modify \"under the hood\" the page frag\nin use by the outer sendmsg call, corrupting the stream.\n\nThe overall relevant stack trace looks like the following:\n\nhttpd 78268 [001] 3461630.850950: probe:tcp_sendmsg_locked:\n ffffffff91461d91 tcp_sendmsg_locked+0x1\n ffffffff91462b57 tcp_sendmsg+0x27\n ffffffff9139814e sock_sendmsg+0x3e\n ffffffffc06dfe1d smb_send_kvec+0x28\n [...]\n ffffffffc06cfaf8 cifs_readpages+0x213\n ffffffff90e83c4b read_pages+0x6b\n ffffffff90e83f31 __do_page_cache_readahead+0x1c1\n ffffffff90e79e98 filemap_fault+0x788\n ffffffff90eb0458 __do_fault+0x38\n ffffffff90eb5280 do_fault+0x1a0\n ffffffff90eb7c84 __handle_mm_fault+0x4d4\n ffffffff90eb8093 handle_mm_fault+0xc3\n ffffffff90c74f6d __do_page_fault+0x1ed\n ffffffff90c75277 do_page_fault+0x37\n ffffffff9160111e page_fault+0x1e\n ffffffff9109e7b5 copyin+0x25\n ffffffff9109eb40 _copy_from_iter_full+0xe0\n ffffffff91462370 tcp_sendmsg_locked+0x5e0\n ffffffff91462370 tcp_sendmsg_locked+0x5e0\n ffffffff91462b57 tcp_sendmsg+0x27\n ffffffff9139815c sock_sendmsg+0x4c\n ffffffff913981f7 sock_write_iter+0x97\n ffffffff90f2cc56 do_iter_readv_writev+0x156\n ffffffff90f2dff0 do_iter_write+0x80\n ffffffff90f2e1c3 vfs_writev+0xa3\n ffffffff90f2e27c do_writev+0x5c\n ffffffff90c042bb do_syscall_64+0x5b\n ffffffff916000ad entry_SYSCALL_64_after_hwframe+0x65\n\nThe cifs filesystem rightfully sets sk_allocations to GFP_NOFS,\nwe can avoid the nesting using the sk page frag for allocation\nlacking the __GFP_FS flag. Do not define an additional mm-helper\nfor that, as this is strictly tied to the sk page frag usage.\n\nv1 -> v2:\n - use a stricted sk_page_frag() check instead of reordering the\n code (Eric)" } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "include/net/sock.h" ], "versions": [ { "version": "5640f7685831", "lessThan": "c6f340a331fb", "status": "affected", "versionType": "git" }, { "version": "5640f7685831", "lessThan": "5a9afcd827ca", "status": "affected", "versionType": "git" }, { "version": "5640f7685831", "lessThan": "dacb5d8875cc", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "include/net/sock.h" ], "versions": [ { "version": "3.7", "status": "affected" }, { "version": "0", "lessThan": "3.7", "status": "unaffected", "versionType": "custom" }, { "version": "5.10.84", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.15.7", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/c6f340a331fb72e5ac23a083de9c780e132ca3ae" }, { "url": "https://git.kernel.org/stable/c/5a9afcd827cafe14a95c9fcbded2c2d104f18dfc" }, { "url": "https://git.kernel.org/stable/c/dacb5d8875cc6cd3a553363b4d6f06760fcbe70c" } ], "title": "tcp: fix page frag corruption on page fault", "x_generator": { "engine": "bippy-a5840b7849dd" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2021-47544", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }