cve/published/2024/CVE-2024-26707.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26707: net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()

 Syzkaller reported [1] hitting a warning after failing to allocate
 resources for skb in hsr_init_skb(). Since a WARN_ONCE() call will
 not help much in this case, it might be prudent to switch to
 netdev_warn_once(). At the very least it will suppress syzkaller
 reports such as [1].

 Just in case, use netdev_warn_once() in send_prp_supervision_frame()
 for similar reasons.

 [1]
 HSR: Could not send supervision frame
 WARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294
 RIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294
 ...
 Call Trace:
  <IRQ>
  hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382
  call_timer_fn+0x193/0x590 kernel/time/timer.c:1700
  expire_timers kernel/time/timer.c:1751 [inline]
  __run_timers+0x764/0xb20 kernel/time/timer.c:2022
  run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
  __do_softirq+0x21a/0x8de kernel/softirq.c:553
  invoke_softirq kernel/softirq.c:427 [inline]
  __irq_exit_rcu kernel/softirq.c:632 [inline]
  irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
  sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
  </IRQ>
  <TASK>
  asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
 ...

 This issue is also found in older kernels (at least up to 5.10).

 The Linux kernel CVE team has assigned CVE-2024-26707 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.9 with commit 121c33b07b3127f501b366bc23d2a590e2f2b8ef and fixed in 5.10.210 with commit 0d8011a878fdf96123bc0d6a12e2fe7ced5fddfb
 	Issue introduced in 5.9 with commit 121c33b07b3127f501b366bc23d2a590e2f2b8ef and fixed in 5.15.149 with commit de769423b2f053182a41317c4db5a927e90622a0
 	Issue introduced in 5.9 with commit 121c33b07b3127f501b366bc23d2a590e2f2b8ef and fixed in 6.1.79 with commit 56440799fc4621c279df16176f83a995d056023a
 	Issue introduced in 5.9 with commit 121c33b07b3127f501b366bc23d2a590e2f2b8ef and fixed in 6.6.18 with commit 923dea2a7ea9e1ef5ac4031fba461c1cc92e32b8
 	Issue introduced in 5.9 with commit 121c33b07b3127f501b366bc23d2a590e2f2b8ef and fixed in 6.7.6 with commit 547545e50c913861219947ce490c68a1776b9b51
 	Issue introduced in 5.9 with commit 121c33b07b3127f501b366bc23d2a590e2f2b8ef and fixed in 6.8 with commit 37e8c97e539015637cb920d3e6f1e404f707a06e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26707
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/hsr/hsr_device.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0d8011a878fdf96123bc0d6a12e2fe7ced5fddfb
 	https://git.kernel.org/stable/c/de769423b2f053182a41317c4db5a927e90622a0
 	https://git.kernel.org/stable/c/56440799fc4621c279df16176f83a995d056023a
 	https://git.kernel.org/stable/c/923dea2a7ea9e1ef5ac4031fba461c1cc92e32b8
 	https://git.kernel.org/stable/c/547545e50c913861219947ce490c68a1776b9b51
 	https://git.kernel.org/stable/c/37e8c97e539015637cb920d3e6f1e404f707a06e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26707: net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()

	Syzkaller reported [1] hitting a warning after failing to allocate
	resources for skb in hsr_init_skb(). Since a WARN_ONCE() call will
	not help much in this case, it might be prudent to switch to
	netdev_warn_once(). At the very least it will suppress syzkaller
	reports such as [1].

	Just in case, use netdev_warn_once() in send_prp_supervision_frame()
	for similar reasons.

	[1]
	HSR: Could not send supervision frame
	WARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294
	RIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294
	...
	Call Trace:
	<IRQ>
	hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382
	call_timer_fn+0x193/0x590 kernel/time/timer.c:1700
	expire_timers kernel/time/timer.c:1751 [inline]
	__run_timers+0x764/0xb20 kernel/time/timer.c:2022
	run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
	__do_softirq+0x21a/0x8de kernel/softirq.c:553
	invoke_softirq kernel/softirq.c:427 [inline]
	__irq_exit_rcu kernel/softirq.c:632 [inline]
	irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
	sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
	</IRQ>
	<TASK>
	asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
	...

	This issue is also found in older kernels (at least up to 5.10).

	The Linux kernel CVE team has assigned CVE-2024-26707 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.9 with commit 121c33b07b3127f501b366bc23d2a590e2f2b8ef and fixed in 5.10.210 with commit 0d8011a878fdf96123bc0d6a12e2fe7ced5fddfb
	Issue introduced in 5.9 with commit 121c33b07b3127f501b366bc23d2a590e2f2b8ef and fixed in 5.15.149 with commit de769423b2f053182a41317c4db5a927e90622a0
	Issue introduced in 5.9 with commit 121c33b07b3127f501b366bc23d2a590e2f2b8ef and fixed in 6.1.79 with commit 56440799fc4621c279df16176f83a995d056023a
	Issue introduced in 5.9 with commit 121c33b07b3127f501b366bc23d2a590e2f2b8ef and fixed in 6.6.18 with commit 923dea2a7ea9e1ef5ac4031fba461c1cc92e32b8
	Issue introduced in 5.9 with commit 121c33b07b3127f501b366bc23d2a590e2f2b8ef and fixed in 6.7.6 with commit 547545e50c913861219947ce490c68a1776b9b51
	Issue introduced in 5.9 with commit 121c33b07b3127f501b366bc23d2a590e2f2b8ef and fixed in 6.8 with commit 37e8c97e539015637cb920d3e6f1e404f707a06e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26707
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/hsr/hsr_device.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0d8011a878fdf96123bc0d6a12e2fe7ced5fddfb
	https://git.kernel.org/stable/c/de769423b2f053182a41317c4db5a927e90622a0
	https://git.kernel.org/stable/c/56440799fc4621c279df16176f83a995d056023a
	https://git.kernel.org/stable/c/923dea2a7ea9e1ef5ac4031fba461c1cc92e32b8
	https://git.kernel.org/stable/c/547545e50c913861219947ce490c68a1776b9b51
	https://git.kernel.org/stable/c/37e8c97e539015637cb920d3e6f1e404f707a06e