| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: fix header validation in geneve[6]_xmit_skb\n\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\n\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\n\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\n\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\n\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\n\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\n\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n - Only call __vlan_get_protocol() for vlan types.\n\nv2,v3 - Addressed Sabrina comments on v1 and v2\n\n[1]\n\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n packet_snd net/packet/af_packet.c:3024 [inline]\n packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/net/geneve.c", |
| "include/net/ip_tunnels.h" |
| ], |
| "versions": [ |
| { |
| "version": "35385daa8db320d2d9664930c28e732578b0d7de", |
| "lessThan": "43be590456e1f3566054ce78ae2dbb68cbe1a536", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "6f92124d74419797fadfbcd5b7a72c384a6413ad", |
| "lessThan": "d3adf11d7993518a39bd02b383cfe657ccc0023c", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "71ad9260c001b217d704cda88ecea251b2d367da", |
| "lessThan": "10204df9beda4978bd1d0c2db0d8375bfb03b915", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "d13f048dd40e8577260cd43faea8ec9b77520197", |
| "lessThan": "3c1ae6de74e3d2d6333d29a2d3e13e6094596c79", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "d13f048dd40e8577260cd43faea8ec9b77520197", |
| "lessThan": "4a1b65d1e55d53b397cb27014208be1e04172670", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "d13f048dd40e8577260cd43faea8ec9b77520197", |
| "lessThan": "190d9efa5773f26d6f334b1b8be282c4fa13fd5e", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "d13f048dd40e8577260cd43faea8ec9b77520197", |
| "lessThan": "357163fff3a6e48fe74745425a32071ec9caf852", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "d13f048dd40e8577260cd43faea8ec9b77520197", |
| "lessThan": "d8a6213d70accb403b82924a1c229e733433a5ef", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "9a51e36ebf433adf59c051bec33f5aa54640bb4d", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "21815f28af8081b258552c111774ff320cf38d38", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/net/geneve.c", |
| "include/net/ip_tunnels.h" |
| ], |
| "versions": [ |
| { |
| "version": "5.13", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "5.13", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "4.19.313", |
| "lessThanOrEqual": "4.19.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.4.275", |
| "lessThanOrEqual": "5.4.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.10.216", |
| "lessThanOrEqual": "5.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.156", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.1.87", |
| "lessThanOrEqual": "6.1.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.6.28", |
| "lessThanOrEqual": "6.6.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.8.7", |
| "lessThanOrEqual": "6.8.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.9", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.19.191", |
| "versionEndExcluding": "4.19.313" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.4.119", |
| "versionEndExcluding": "5.4.275" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.10.37", |
| "versionEndExcluding": "5.10.216" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.13", |
| "versionEndExcluding": "5.15.156" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.13", |
| "versionEndExcluding": "6.1.87" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.13", |
| "versionEndExcluding": "6.6.28" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.13", |
| "versionEndExcluding": "6.8.7" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.13", |
| "versionEndExcluding": "6.9" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.11.21" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.12.4" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef" |
| } |
| ], |
| "title": "geneve: fix header validation in geneve[6]_xmit_skb", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2024-35973", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
