cve/published/2024/CVE-2024-26733.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26733: arp: Prevent overflow in arp_req_get().

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 arp: Prevent overflow in arp_req_get().

 syzkaller reported an overflown write in arp_req_get(). [0]

 When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour
 entry and copies neigh->ha to struct arpreq.arp_ha.sa_data.

 The arp_ha here is struct sockaddr, not struct sockaddr_storage, so
 the sa_data buffer is just 14 bytes.

 In the splat below, 2 bytes are overflown to the next int field,
 arp_flags.  We initialise the field just after the memcpy(), so it's
 not a problem.

 However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),
 arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)
 in arp_ioctl() before calling arp_req_get().

 To avoid the overflow, let's limit the max length of memcpy().

 Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible
 array in struct sockaddr") just silenced syzkaller.

 [0]:
 memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14)
 WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
 Modules linked in:
 CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6
 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286
 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000
 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001
 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000
 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000
 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010
 FS:  00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 PKRU: 55555554
 Call Trace:
  <TASK>
  arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261
  inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981
  sock_do_ioctl+0xdf/0x260 net/socket.c:1204
  sock_ioctl+0x3ef/0x650 net/socket.c:1321
  vfs_ioctl fs/ioctl.c:51 [inline]
  __do_sys_ioctl fs/ioctl.c:870 [inline]
  __se_sys_ioctl fs/ioctl.c:856 [inline]
  __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81
  entry_SYSCALL_64_after_hwframe+0x64/0xce
 RIP: 0033:0x7f172b262b8d
 Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d
 RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003
 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000
  </TASK>

 The Linux kernel CVE team has assigned CVE-2024-26733 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.211 with commit dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.150 with commit 97eaa2955db4120ce6ec2ef123e860bc32232c50
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.80 with commit f119f2325ba70cbfdec701000dcad4d88805d5b0
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.19 with commit a3f2c083cb575d80a7627baf3339e78fedccbb91
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.7.7 with commit 3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.8 with commit a7d6027790acea24446ddd6632d394096c0f4667

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26733
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/arp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587
 	https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50
 	https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0
 	https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91
 	https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a
 	https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26733: arp: Prevent overflow in arp_req_get().

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	arp: Prevent overflow in arp_req_get().

	syzkaller reported an overflown write in arp_req_get(). [0]

	When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour
	entry and copies neigh->ha to struct arpreq.arp_ha.sa_data.

	The arp_ha here is struct sockaddr, not struct sockaddr_storage, so
	the sa_data buffer is just 14 bytes.

	In the splat below, 2 bytes are overflown to the next int field,
	arp_flags. We initialise the field just after the memcpy(), so it's
	not a problem.

	However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),
	arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)
	in arp_ioctl() before calling arp_req_get().

	To avoid the overflow, let's limit the max length of memcpy().

	Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible
	array in struct sockaddr") just silenced syzkaller.

	[0]:
	memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14)
	WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
	Modules linked in:
	CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
	RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
	Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6
	RSP: 0018:ffffc900050b7998 EFLAGS: 00010286
	RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000
	RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001
	RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000
	R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000
	R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010
	FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	PKRU: 55555554
	Call Trace:
	<TASK>
	arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261
	inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981
	sock_do_ioctl+0xdf/0x260 net/socket.c:1204
	sock_ioctl+0x3ef/0x650 net/socket.c:1321
	vfs_ioctl fs/ioctl.c:51 [inline]
	__do_sys_ioctl fs/ioctl.c:870 [inline]
	__se_sys_ioctl fs/ioctl.c:856 [inline]
	__x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856
	do_syscall_x64 arch/x86/entry/common.c:51 [inline]
	do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81
	entry_SYSCALL_64_after_hwframe+0x64/0xce
	RIP: 0033:0x7f172b262b8d
	Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
	RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d
	RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003
	RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
	R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-26733 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.211 with commit dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.150 with commit 97eaa2955db4120ce6ec2ef123e860bc32232c50
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.80 with commit f119f2325ba70cbfdec701000dcad4d88805d5b0
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.19 with commit a3f2c083cb575d80a7627baf3339e78fedccbb91
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.7.7 with commit 3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.8 with commit a7d6027790acea24446ddd6632d394096c0f4667

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26733
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/arp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587
	https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50
	https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0
	https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91
	https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a
	https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667