CVE-2024-50034

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix lacks of icsksynmss with IPPROTO_SMC

Eric report a panic on IPPROTOSMC, and give the facts that when INETPROTOSWICSK was set, icsk->icsksync_mss must be set too.

Bug: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000005 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000 [0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003, pud=0000000000000000 Internal error: Oops: 0000000086000005 [#1] PREEMPT SMP Modules linked in: CPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : cipsov4socksetattr+0x2a8/0x3c0 net/ipv4/cipsoipv4.c:1910 sp : ffff80009b887a90 x29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000 x26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00 x23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000 x20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79ee x17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001 x14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003 x11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000 Call trace: 0x0 netlblsocksetattr+0x2e4/0x338 net/netlabel/netlabelkapi.c:1000 smacknetlbladd+0xa4/0x154 security/smack/smacklsm.c:2593 smacksocketpostcreate+0xa8/0x14c security/smack/smacklsm.c:2973 securitysocketpost_create+0x94/0xd4 security/security.c:4425 __sockcreate+0x4c8/0x884 net/socket.c:1587 sockcreate net/socket.c:1622 [inline] __syssocketcreate net/socket.c:1659 [inline] __sys_socket+0x134/0x340 net/socket.c:1706 __dosyssocket net/socket.c:1720 [inline] __sesyssocket net/socket.c:1718 [inline] __arm64syssocket+0x7c/0x94 net/socket.c:1718 __invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0svccommon+0x130/0x23c arch/arm64/kernel/syscall.c:132 doel0svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t64synchandler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t64sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Code: ???????? ???????? ???????? ???????? (????????) ---[ end trace 0000000000000000 ]---

This patch add a toy implementation that performs a simple return to prevent such panic. This is because MSS can be set in sockcreatekern or smcsetsockopt, similar to how it's done in AFSMC. However, for AF_SMC, there is currently no way to synchronize MSS within _sysconnectfile. This toy implementation lays the groundwork for us to support such feature for IPPROTOSMC in the future.