Total vulnerabilities in the database
In the Linux kernel, the following vulnerability has been resolved:
tcp: add sanity checks to rx zerocopy
TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs.
This patch adds to can_map_frag() these additional checks:
This fixes the panic reported by ZhangPeng.
syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy.
r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x181e42, 0x0)
| Software | From | Fixed in |
|---|---|---|
| linux / linux_kernel | 6.8-rc1 | 6.8-rc1.x |
| linux / linux_kernel | 5.11 | 5.15.149 |
| linux / linux_kernel | 6.8-rc2 | 6.8-rc2.x |
| linux / linux_kernel | 6.7 | 6.7.4 |
| linux / linux_kernel | 6.2 | 6.6.16 |
| linux / linux_kernel | 5.16 | 6.1.77 |
| linux / linux_kernel | 4.18 | 5.10.210 |
| debian / debian_linux | 10.0 | 10.0.x |