cve/published/2024/CVE-2024-36927.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36927: ipv4: Fix uninit-value access in __ip_make_skb()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ipv4: Fix uninit-value access in __ip_make_skb()

 KMSAN reported uninit-value access in __ip_make_skb() [1].  __ip_make_skb()
 tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a
 race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL
 while __ip_make_skb() is running, the function will access icmphdr in the
 skb even if it is not included. This causes the issue reported by KMSAN.

 Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL
 on the socket.

 Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These
 are union in struct flowi4 and are implicitly initialized by
 flowi4_init_output(), but we should not rely on specific union layout.

 Initialize these explicitly in raw_sendmsg().

 [1]
 BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
  __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
  ip_finish_skb include/net/ip.h:243 [inline]
  ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508
  raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654
  inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0x274/0x3c0 net/socket.c:745
  __sys_sendto+0x62c/0x7b0 net/socket.c:2191
  __do_sys_sendto net/socket.c:2203 [inline]
  __se_sys_sendto net/socket.c:2199 [inline]
  __x64_sys_sendto+0x130/0x200 net/socket.c:2199
  do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x6d/0x75

 Uninit was created at:
  slab_post_alloc_hook mm/slub.c:3804 [inline]
  slab_alloc_node mm/slub.c:3845 [inline]
  kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888
  kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577
  __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668
  alloc_skb include/linux/skbuff.h:1318 [inline]
  __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128
  ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365
  raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648
  inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0x274/0x3c0 net/socket.c:745
  __sys_sendto+0x62c/0x7b0 net/socket.c:2191
  __do_sys_sendto net/socket.c:2203 [inline]
  __se_sys_sendto net/socket.c:2199 [inline]
  __x64_sys_sendto+0x130/0x200 net/socket.c:2199
  do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x6d/0x75

 CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014

 The Linux kernel CVE team has assigned CVE-2024-36927 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1.28 with commit fc60067260c20da8cddcf968bec47416f3e2cde2 and fixed in 6.1.140 with commit 55bf541e018b76b3750cb6c6ea18c46e1ac5562e
 	Issue introduced in 6.4 with commit 99e5acae193e369b71217efe6f1dad42f3f18815 and fixed in 6.6.31 with commit 5db08343ddb1b239320612036c398e4e1bb52818
 	Issue introduced in 6.4 with commit 99e5acae193e369b71217efe6f1dad42f3f18815 and fixed in 6.8.10 with commit f5c603ad4e6fcf42f84053e882ebe20184bb309e
 	Issue introduced in 6.4 with commit 99e5acae193e369b71217efe6f1dad42f3f18815 and fixed in 6.9 with commit fc1092f51567277509563800a3c56732070b6aa4
 	Issue introduced in 4.14.315 with commit dc4e3bb0710178c8d03fc43064e0a71fe7440cdd
 	Issue introduced in 4.19.283 with commit 022ea4374c319690c804706bda9dc42946d1556d
 	Issue introduced in 5.4.243 with commit 27c468ec1af113f6ae94fb5378f65e6038bd16e7
 	Issue introduced in 5.10.180 with commit 566785731c6dd41ef815196ddc36d1ae30a63763
 	Issue introduced in 5.15.111 with commit a54ec573d9b81b05d368f8e6edc1b3e49f688658
 	Issue introduced in 6.2.15 with commit 32a5a13d556e4f804e5a447a08c70b172d600707
 	Issue introduced in 6.3.2 with commit 9e3c96aed8fe32907e0a4bca05aad457629a820c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36927
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/ip_output.c
 	net/ipv4/raw.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/55bf541e018b76b3750cb6c6ea18c46e1ac5562e
 	https://git.kernel.org/stable/c/5db08343ddb1b239320612036c398e4e1bb52818
 	https://git.kernel.org/stable/c/f5c603ad4e6fcf42f84053e882ebe20184bb309e
 	https://git.kernel.org/stable/c/fc1092f51567277509563800a3c56732070b6aa4
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36927: ipv4: Fix uninit-value access in __ip_make_skb()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ipv4: Fix uninit-value access in __ip_make_skb()

	KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()
	tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a
	race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL
	while __ip_make_skb() is running, the function will access icmphdr in the
	skb even if it is not included. This causes the issue reported by KMSAN.

	Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL
	on the socket.

	Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These
	are union in struct flowi4 and are implicitly initialized by
	flowi4_init_output(), but we should not rely on specific union layout.

	Initialize these explicitly in raw_sendmsg().

	[1]
	BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
	__ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
	ip_finish_skb include/net/ip.h:243 [inline]
	ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508
	raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654
	inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x274/0x3c0 net/socket.c:745
	__sys_sendto+0x62c/0x7b0 net/socket.c:2191
	__do_sys_sendto net/socket.c:2203 [inline]
	__se_sys_sendto net/socket.c:2199 [inline]
	__x64_sys_sendto+0x130/0x200 net/socket.c:2199
	do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x6d/0x75

	Uninit was created at:
	slab_post_alloc_hook mm/slub.c:3804 [inline]
	slab_alloc_node mm/slub.c:3845 [inline]
	kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888
	kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577
	__alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668
	alloc_skb include/linux/skbuff.h:1318 [inline]
	__ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128
	ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365
	raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648
	inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x274/0x3c0 net/socket.c:745
	__sys_sendto+0x62c/0x7b0 net/socket.c:2191
	__do_sys_sendto net/socket.c:2203 [inline]
	__se_sys_sendto net/socket.c:2199 [inline]
	__x64_sys_sendto+0x130/0x200 net/socket.c:2199
	do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x6d/0x75

	CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014

	The Linux kernel CVE team has assigned CVE-2024-36927 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1.28 with commit fc60067260c20da8cddcf968bec47416f3e2cde2 and fixed in 6.1.140 with commit 55bf541e018b76b3750cb6c6ea18c46e1ac5562e
	Issue introduced in 6.4 with commit 99e5acae193e369b71217efe6f1dad42f3f18815 and fixed in 6.6.31 with commit 5db08343ddb1b239320612036c398e4e1bb52818
	Issue introduced in 6.4 with commit 99e5acae193e369b71217efe6f1dad42f3f18815 and fixed in 6.8.10 with commit f5c603ad4e6fcf42f84053e882ebe20184bb309e
	Issue introduced in 6.4 with commit 99e5acae193e369b71217efe6f1dad42f3f18815 and fixed in 6.9 with commit fc1092f51567277509563800a3c56732070b6aa4
	Issue introduced in 4.14.315 with commit dc4e3bb0710178c8d03fc43064e0a71fe7440cdd
	Issue introduced in 4.19.283 with commit 022ea4374c319690c804706bda9dc42946d1556d
	Issue introduced in 5.4.243 with commit 27c468ec1af113f6ae94fb5378f65e6038bd16e7
	Issue introduced in 5.10.180 with commit 566785731c6dd41ef815196ddc36d1ae30a63763
	Issue introduced in 5.15.111 with commit a54ec573d9b81b05d368f8e6edc1b3e49f688658
	Issue introduced in 6.2.15 with commit 32a5a13d556e4f804e5a447a08c70b172d600707
	Issue introduced in 6.3.2 with commit 9e3c96aed8fe32907e0a4bca05aad457629a820c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36927
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/ip_output.c
	net/ipv4/raw.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/55bf541e018b76b3750cb6c6ea18c46e1ac5562e
	https://git.kernel.org/stable/c/5db08343ddb1b239320612036c398e4e1bb52818
	https://git.kernel.org/stable/c/f5c603ad4e6fcf42f84053e882ebe20184bb309e
	https://git.kernel.org/stable/c/fc1092f51567277509563800a3c56732070b6aa4