cve/published/2024/CVE-2024-26633.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26633: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()

 syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.

 Reading frag_off can only be done if we pulled enough bytes
 to skb->head. Currently we might access garbage.

 [1]
 BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0
 ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0
 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]
 ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432
 __netdev_start_xmit include/linux/netdevice.h:4940 [inline]
 netdev_start_xmit include/linux/netdevice.h:4954 [inline]
 xmit_one net/core/dev.c:3548 [inline]
 dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
 dev_queue_xmit include/linux/netdevice.h:3134 [inline]
 neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592
 neigh_output include/net/neighbour.h:542 [inline]
 ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137
 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243
 dst_output include/net/dst.h:451 [inline]
 ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155
 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]
 ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972
 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582
 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920
 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
 __sys_sendmsg net/socket.c:2667 [inline]
 __do_sys_sendmsg net/socket.c:2676 [inline]
 __se_sys_sendmsg net/socket.c:2674 [inline]
 __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

 Uninit was created at:
 slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
 slab_alloc_node mm/slub.c:3478 [inline]
 __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1006 [inline]
 __kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027
 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582
 pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098
 __pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655
 pskb_may_pull_reason include/linux/skbuff.h:2673 [inline]
 pskb_may_pull include/linux/skbuff.h:2681 [inline]
 ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408
 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]
 ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432
 __netdev_start_xmit include/linux/netdevice.h:4940 [inline]
 netdev_start_xmit include/linux/netdevice.h:4954 [inline]
 xmit_one net/core/dev.c:3548 [inline]
 dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
 dev_queue_xmit include/linux/netdevice.h:3134 [inline]
 neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592
 neigh_output include/net/neighbour.h:542 [inline]
 ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137
 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243
 dst_output include/net/dst.h:451 [inline]
 ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155
 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]
 ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972
 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582
 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920
 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
 __sys_sendmsg net/socket.c:2667 [inline]
 __do_sys_sendmsg net/socket.c:2676 [inline]
 __se_sys_sendmsg net/socket.c:2674 [inline]
 __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

 CPU: 0 PID: 7345 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00024-gac865f00af29 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

 The Linux kernel CVE team has assigned CVE-2024-26633 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 4.19.306 with commit 135414f300c5db995e2a2f3bf0f455de9d014aee
 	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 5.4.268 with commit 3f15ba3dc14e6ee002ea01b4faddc3d49200377c
 	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 5.10.209 with commit da23bd709b46168f7dfc36055801011222b076cd
 	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 5.15.148 with commit 4329426cf6b8e22b798db2331c7ef1dd2a9c748d
 	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 6.1.75 with commit 62a1fedeb14c7ac0947ef33fadbabd35ed2400a2
 	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 6.6.14 with commit 687c5d52fe53e602e76826dbd4d7af412747e183
 	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 6.7.2 with commit ba8d904c274268b18ef3dc11d3ca7b24a96cb087
 	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 6.8 with commit d375b98e0248980681e5e56b712026174d617198
 	Issue introduced in 3.2.87 with commit a6f6bb6bc04a5f88a31f47a6123d3fbf5ee8d694
 	Issue introduced in 3.10.106 with commit 72bbf335e7aad09c88c50dbdd238f4faabd12174
 	Issue introduced in 3.12.71 with commit decccc92ee0a978a1c268b5df16824cb6384ed3c
 	Issue introduced in 3.16.42 with commit d3d9b59ab32160e3cc4edcf7e5fa7cecb53a7d25
 	Issue introduced in 3.18.49 with commit d397f7035d2c754781bbe93b07b94d8cd898620c
 	Issue introduced in 4.4.50 with commit 41e07a7e01d951cfd4c9a7dac90c921269d89513
 	Issue introduced in 4.9.11 with commit a7fe4e5d06338e1a82b1977eca37400951f99730

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26633
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv6/ip6_tunnel.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/135414f300c5db995e2a2f3bf0f455de9d014aee
 	https://git.kernel.org/stable/c/3f15ba3dc14e6ee002ea01b4faddc3d49200377c
 	https://git.kernel.org/stable/c/da23bd709b46168f7dfc36055801011222b076cd
 	https://git.kernel.org/stable/c/4329426cf6b8e22b798db2331c7ef1dd2a9c748d
 	https://git.kernel.org/stable/c/62a1fedeb14c7ac0947ef33fadbabd35ed2400a2
 	https://git.kernel.org/stable/c/687c5d52fe53e602e76826dbd4d7af412747e183
 	https://git.kernel.org/stable/c/ba8d904c274268b18ef3dc11d3ca7b24a96cb087
 	https://git.kernel.org/stable/c/d375b98e0248980681e5e56b712026174d617198
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26633: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()

	syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.

	Reading frag_off can only be done if we pulled enough bytes
	to skb->head. Currently we might access garbage.

	[1]
	BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0
	ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0
	ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]
	ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432
	__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
	netdev_start_xmit include/linux/netdevice.h:4954 [inline]
	xmit_one net/core/dev.c:3548 [inline]
	dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
	__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
	dev_queue_xmit include/linux/netdevice.h:3134 [inline]
	neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592
	neigh_output include/net/neighbour.h:542 [inline]
	ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137
	ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222
	NF_HOOK_COND include/linux/netfilter.h:303 [inline]
	ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243
	dst_output include/net/dst.h:451 [inline]
	ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155
	ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]
	ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972
	rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582
	rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920
	inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg net/socket.c:745 [inline]
	____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
	___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
	__sys_sendmsg net/socket.c:2667 [inline]
	__do_sys_sendmsg net/socket.c:2676 [inline]
	__se_sys_sendmsg net/socket.c:2674 [inline]
	__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x63/0x6b

	Uninit was created at:
	slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
	slab_alloc_node mm/slub.c:3478 [inline]
	__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
	__do_kmalloc_node mm/slab_common.c:1006 [inline]
	__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027
	kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582
	pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098
	__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655
	pskb_may_pull_reason include/linux/skbuff.h:2673 [inline]
	pskb_may_pull include/linux/skbuff.h:2681 [inline]
	ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408
	ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]
	ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432
	__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
	netdev_start_xmit include/linux/netdevice.h:4954 [inline]
	xmit_one net/core/dev.c:3548 [inline]
	dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
	__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
	dev_queue_xmit include/linux/netdevice.h:3134 [inline]
	neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592
	neigh_output include/net/neighbour.h:542 [inline]
	ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137
	ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222
	NF_HOOK_COND include/linux/netfilter.h:303 [inline]
	ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243
	dst_output include/net/dst.h:451 [inline]
	ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155
	ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]
	ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972
	rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582
	rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920
	inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg net/socket.c:745 [inline]
	____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
	___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
	__sys_sendmsg net/socket.c:2667 [inline]
	__do_sys_sendmsg net/socket.c:2676 [inline]
	__se_sys_sendmsg net/socket.c:2674 [inline]
	__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x63/0x6b

	CPU: 0 PID: 7345 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00024-gac865f00af29 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

	The Linux kernel CVE team has assigned CVE-2024-26633 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 4.19.306 with commit 135414f300c5db995e2a2f3bf0f455de9d014aee
	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 5.4.268 with commit 3f15ba3dc14e6ee002ea01b4faddc3d49200377c
	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 5.10.209 with commit da23bd709b46168f7dfc36055801011222b076cd
	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 5.15.148 with commit 4329426cf6b8e22b798db2331c7ef1dd2a9c748d
	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 6.1.75 with commit 62a1fedeb14c7ac0947ef33fadbabd35ed2400a2
	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 6.6.14 with commit 687c5d52fe53e602e76826dbd4d7af412747e183
	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 6.7.2 with commit ba8d904c274268b18ef3dc11d3ca7b24a96cb087
	Issue introduced in 4.10 with commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 and fixed in 6.8 with commit d375b98e0248980681e5e56b712026174d617198
	Issue introduced in 3.2.87 with commit a6f6bb6bc04a5f88a31f47a6123d3fbf5ee8d694
	Issue introduced in 3.10.106 with commit 72bbf335e7aad09c88c50dbdd238f4faabd12174
	Issue introduced in 3.12.71 with commit decccc92ee0a978a1c268b5df16824cb6384ed3c
	Issue introduced in 3.16.42 with commit d3d9b59ab32160e3cc4edcf7e5fa7cecb53a7d25
	Issue introduced in 3.18.49 with commit d397f7035d2c754781bbe93b07b94d8cd898620c
	Issue introduced in 4.4.50 with commit 41e07a7e01d951cfd4c9a7dac90c921269d89513
	Issue introduced in 4.9.11 with commit a7fe4e5d06338e1a82b1977eca37400951f99730

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26633
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv6/ip6_tunnel.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/135414f300c5db995e2a2f3bf0f455de9d014aee
	https://git.kernel.org/stable/c/3f15ba3dc14e6ee002ea01b4faddc3d49200377c
	https://git.kernel.org/stable/c/da23bd709b46168f7dfc36055801011222b076cd
	https://git.kernel.org/stable/c/4329426cf6b8e22b798db2331c7ef1dd2a9c748d
	https://git.kernel.org/stable/c/62a1fedeb14c7ac0947ef33fadbabd35ed2400a2
	https://git.kernel.org/stable/c/687c5d52fe53e602e76826dbd4d7af412747e183
	https://git.kernel.org/stable/c/ba8d904c274268b18ef3dc11d3ca7b24a96cb087
	https://git.kernel.org/stable/c/d375b98e0248980681e5e56b712026174d617198