cve/published/2024/CVE-2024-33621.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-33621: ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound

 Raw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will
 hit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path.

 WARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70
 Modules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper
 CPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
 RIP: 0010:sk_mc_loop+0x2d/0x70
 Code: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c
 RSP: 0018:ffffa9584015cd78 EFLAGS: 00010212
 RAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001
 RDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000
 RBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00
 R10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000
 R13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000
 FS:  0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
 <IRQ>
  ? __warn (kernel/panic.c:693)
  ? sk_mc_loop (net/core/sock.c:760)
  ? report_bug (lib/bug.c:201 lib/bug.c:219)
  ? handle_bug (arch/x86/kernel/traps.c:239)
  ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
  ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)
  ? sk_mc_loop (net/core/sock.c:760)
  ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1))
  ? nf_hook_slow (net/netfilter/core.c:626)
  ip6_finish_output (net/ipv6/ip6_output.c:222)
  ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215)
  ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan
  ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan
  dev_hard_start_xmit (net/core/dev.c:3594)
  sch_direct_xmit (net/sched/sch_generic.c:343)
  __qdisc_run (net/sched/sch_generic.c:416)
  net_tx_action (net/core/dev.c:5286)
  handle_softirqs (kernel/softirq.c:555)
  __irq_exit_rcu (kernel/softirq.c:589)
  sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043)

 The warning triggers as this:
 packet_sendmsg
    packet_snd //skb->sk is packet sk
       __dev_queue_xmit
          __dev_xmit_skb //q->enqueue is not NULL
              __qdisc_run
                sch_direct_xmit
                  dev_hard_start_xmit
                    ipvlan_start_xmit
                       ipvlan_xmit_mode_l3 //l3 mode
                         ipvlan_process_outbound //vepa flag
                           ipvlan_process_v6_outbound
                             ip6_local_out
                                 __ip6_finish_output
                                   ip6_finish_output2 //multicast packet
                                     sk_mc_loop //sk->sk_family is AF_PACKET

 Call ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.

 The Linux kernel CVE team has assigned CVE-2024-33621 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 4.19.316 with commit 0049a623dfbbb49888de7f0c2f33a582b5ead989
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.4.278 with commit 54768bacfde60e8e4757968d79f8726711dd2cf5
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.10.219 with commit 1abbf079da59ef559d0ab4219d2a0302f7970761
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.15.161 with commit 183c4b416454b9983dc1b8aa0022b748911adc48
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.1.93 with commit cb53706a3403ba67f4040b2a82d9cf79e11b1a48
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.6.33 with commit 54213c09801e0bd2549ac42961093be36f65a7d0
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.9.4 with commit 13c4543db34e0da5a7d2f550b6262d860f248381
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.10 with commit b3dc6e8003b500861fa307e9a3400c52e78e4d3a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-33621
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ipvlan/ipvlan_core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0049a623dfbbb49888de7f0c2f33a582b5ead989
 	https://git.kernel.org/stable/c/54768bacfde60e8e4757968d79f8726711dd2cf5
 	https://git.kernel.org/stable/c/1abbf079da59ef559d0ab4219d2a0302f7970761
 	https://git.kernel.org/stable/c/183c4b416454b9983dc1b8aa0022b748911adc48
 	https://git.kernel.org/stable/c/cb53706a3403ba67f4040b2a82d9cf79e11b1a48
 	https://git.kernel.org/stable/c/54213c09801e0bd2549ac42961093be36f65a7d0
 	https://git.kernel.org/stable/c/13c4543db34e0da5a7d2f550b6262d860f248381
 	https://git.kernel.org/stable/c/b3dc6e8003b500861fa307e9a3400c52e78e4d3a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-33621: ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound

	Raw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will
	hit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path.

	WARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70
	Modules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper
	CPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
	RIP: 0010:sk_mc_loop+0x2d/0x70
	Code: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c
	RSP: 0018:ffffa9584015cd78 EFLAGS: 00010212
	RAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001
	RDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000
	RBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00
	R10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000
	R13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000
	FS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<IRQ>
	? __warn (kernel/panic.c:693)
	? sk_mc_loop (net/core/sock.c:760)
	? report_bug (lib/bug.c:201 lib/bug.c:219)
	? handle_bug (arch/x86/kernel/traps.c:239)
	? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
	? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)
	? sk_mc_loop (net/core/sock.c:760)
	ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1))
	? nf_hook_slow (net/netfilter/core.c:626)
	ip6_finish_output (net/ipv6/ip6_output.c:222)
	? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215)
	ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan
	ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan
	dev_hard_start_xmit (net/core/dev.c:3594)
	sch_direct_xmit (net/sched/sch_generic.c:343)
	__qdisc_run (net/sched/sch_generic.c:416)
	net_tx_action (net/core/dev.c:5286)
	handle_softirqs (kernel/softirq.c:555)
	__irq_exit_rcu (kernel/softirq.c:589)
	sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043)

	The warning triggers as this:
	packet_sendmsg
	packet_snd //skb->sk is packet sk
	__dev_queue_xmit
	__dev_xmit_skb //q->enqueue is not NULL
	__qdisc_run
	sch_direct_xmit
	dev_hard_start_xmit
	ipvlan_start_xmit
	ipvlan_xmit_mode_l3 //l3 mode
	ipvlan_process_outbound //vepa flag
	ipvlan_process_v6_outbound
	ip6_local_out
	__ip6_finish_output
	ip6_finish_output2 //multicast packet
	sk_mc_loop //sk->sk_family is AF_PACKET

	Call ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.

	The Linux kernel CVE team has assigned CVE-2024-33621 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 4.19.316 with commit 0049a623dfbbb49888de7f0c2f33a582b5ead989
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.4.278 with commit 54768bacfde60e8e4757968d79f8726711dd2cf5
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.10.219 with commit 1abbf079da59ef559d0ab4219d2a0302f7970761
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.15.161 with commit 183c4b416454b9983dc1b8aa0022b748911adc48
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.1.93 with commit cb53706a3403ba67f4040b2a82d9cf79e11b1a48
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.6.33 with commit 54213c09801e0bd2549ac42961093be36f65a7d0
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.9.4 with commit 13c4543db34e0da5a7d2f550b6262d860f248381
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.10 with commit b3dc6e8003b500861fa307e9a3400c52e78e4d3a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-33621
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ipvlan/ipvlan_core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0049a623dfbbb49888de7f0c2f33a582b5ead989
	https://git.kernel.org/stable/c/54768bacfde60e8e4757968d79f8726711dd2cf5
	https://git.kernel.org/stable/c/1abbf079da59ef559d0ab4219d2a0302f7970761
	https://git.kernel.org/stable/c/183c4b416454b9983dc1b8aa0022b748911adc48
	https://git.kernel.org/stable/c/cb53706a3403ba67f4040b2a82d9cf79e11b1a48
	https://git.kernel.org/stable/c/54213c09801e0bd2549ac42961093be36f65a7d0
	https://git.kernel.org/stable/c/13c4543db34e0da5a7d2f550b6262d860f248381
	https://git.kernel.org/stable/c/b3dc6e8003b500861fa307e9a3400c52e78e4d3a