Commit 51b33086 authored by Cong Wang's avatar Cong Wang Committed by Zhang Changzhong
Browse files

vsock: fix recursive ->recvmsg calls 

stable inclusion
from stable-v6.6.48
commit 921f1acf0c3cf6b1260ab57a8a6e8b3d5f3023d5
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXZC
CVE: CVE-2024-44996

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=921f1acf0c3cf6b1260ab57a8a6e8b3d5f3023d5



--------------------------------

[ Upstream commit 69139d2919dd4aa9a553c8245e7c63e82613e3fc ]

After a vsock socket has been added to a BPF sockmap, its prot->recvmsg
has been replaced with vsock_bpf_recvmsg(). Thus the following
recursiion could happen:

vsock_bpf_recvmsg()
 -> __vsock_recvmsg()
  -> vsock_connectible_recvmsg()
   -> prot->recvmsg()
    -> vsock_bpf_recvmsg() again

We need to fix it by calling the original ->recvmsg() without any BPF
sockmap logic in __vsock_recvmsg().

Fixes: 634f1a71 ("vsock: support sockmap")
Reported-by: default avatar <syzbot+bdb4bd87b5e22058e2a4@syzkaller.appspotmail.com>
Tested-by: default avatar <syzbot+bdb4bd87b5e22058e2a4@syzkaller.appspotmail.com>
Cc: Bobby Eshleman <bobby.eshleman@bytedance.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: default avatarCong Wang <cong.wang@bytedance.com>
Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Link: https://patch.msgid.link/20240812022153.86512-1-xiyou.wangcong@gmail.com


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parent 7ab021d4

include/net/af_vsock.h

+4 −0
Original line number Diff line number Diff line
@@ -227,8 +227,12 @@ struct vsock_tap { 
int vsock_add_tap(struct vsock_tap *vt);

int vsock_remove_tap(struct vsock_tap *vt);

void vsock_deliver_tap(struct sk_buff *build_skb(void *opaque), void *opaque);

int __vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,

				int flags);

int vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,

			      int flags);

int __vsock_dgram_recvmsg(struct socket *sock, struct msghdr *msg,

			  size_t len, int flags);

int vsock_dgram_recvmsg(struct socket *sock, struct msghdr *msg,

			size_t len, int flags);

net/vmw_vsock/af_vsock.c

+29 −21
Original line number Diff line number Diff line
@@ -1270,25 +1270,28 @@ static int vsock_dgram_connect(struct socket *sock, 
	return err;

}



int __vsock_dgram_recvmsg(struct socket *sock, struct msghdr *msg,

			  size_t len, int flags)

{

	struct sock *sk = sock->sk;

	struct vsock_sock *vsk = vsock_sk(sk);



	return vsk->transport->dgram_dequeue(vsk, msg, len, flags);

}



int vsock_dgram_recvmsg(struct socket *sock, struct msghdr *msg,

			size_t len, int flags)

{

#ifdef CONFIG_BPF_SYSCALL

	struct sock *sk = sock->sk;

	const struct proto *prot;

#endif

	struct vsock_sock *vsk;

	struct sock *sk;



	sk = sock->sk;

	vsk = vsock_sk(sk);



#ifdef CONFIG_BPF_SYSCALL

	prot = READ_ONCE(sk->sk_prot);

	if (prot != &vsock_proto)

		return prot->recvmsg(sk, msg, len, flags, NULL);

#endif



	return vsk->transport->dgram_dequeue(vsk, msg, len, flags);

	return __vsock_dgram_recvmsg(sock, msg, len, flags);

}

EXPORT_SYMBOL_GPL(vsock_dgram_recvmsg);
@@ -2124,15 +2127,12 @@ static int __vsock_seqpacket_recvmsg(struct sock *sk, struct msghdr *msg, 
}



int

vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,

__vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,

			    int flags)

{

	struct sock *sk;

	struct vsock_sock *vsk;

	const struct vsock_transport *transport;

#ifdef CONFIG_BPF_SYSCALL

	const struct proto *prot;

#endif

	int err;



	sk = sock->sk;
@@ -2183,14 +2183,6 @@ vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, 
		goto out;

	}



#ifdef CONFIG_BPF_SYSCALL

	prot = READ_ONCE(sk->sk_prot);

	if (prot != &vsock_proto) {

		release_sock(sk);

		return prot->recvmsg(sk, msg, len, flags, NULL);

	}

#endif



	if (sk->sk_type == SOCK_STREAM)

		err = __vsock_stream_recvmsg(sk, msg, len, flags);

	else
@@ -2200,6 +2192,22 @@ vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, 
	release_sock(sk);

	return err;

}



int

vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,

			  int flags)

{

#ifdef CONFIG_BPF_SYSCALL

	struct sock *sk = sock->sk;

	const struct proto *prot;



	prot = READ_ONCE(sk->sk_prot);

	if (prot != &vsock_proto)

		return prot->recvmsg(sk, msg, len, flags, NULL);

#endif



	return __vsock_connectible_recvmsg(sock, msg, len, flags);

}

EXPORT_SYMBOL_GPL(vsock_connectible_recvmsg);



static int vsock_set_rcvlowat(struct sock *sk, int val)

net/vmw_vsock/vsock_bpf.c

+2 −2
Original line number Diff line number Diff line
@@ -64,9 +64,9 @@ static int __vsock_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int 
	int err;



	if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET)

		err = vsock_connectible_recvmsg(sock, msg, len, flags);

		err = __vsock_connectible_recvmsg(sock, msg, len, flags);

	else if (sk->sk_type == SOCK_DGRAM)

		err = vsock_dgram_recvmsg(sock, msg, len, flags);

		err = __vsock_dgram_recvmsg(sock, msg, len, flags);

	else

		err = -EPROTOTYPE;