cve/published/2024/CVE-2024-38538.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38538: net: bridge: xmit: make sure we have at least eth header len bytes

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: bridge: xmit: make sure we have at least eth header len bytes

 syzbot triggered an uninit value[1] error in bridge device's xmit path
 by sending a short (less than ETH_HLEN bytes) skb. To fix it check if
 we can actually pull that amount instead of assuming.

 Tested with dropwatch:
  drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)
  origin: software
  timestamp: Mon May 13 11:31:53 2024 778214037 nsec
  protocol: 0x88a8
  length: 2
  original length: 2
  drop reason: PKT_TOO_SMALL

 [1]
 BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
  br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
  __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
  netdev_start_xmit include/linux/netdevice.h:4917 [inline]
  xmit_one net/core/dev.c:3531 [inline]
  dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547
  __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341
  dev_queue_xmit include/linux/netdevice.h:3091 [inline]
  __bpf_tx_skb net/core/filter.c:2136 [inline]
  __bpf_redirect_common net/core/filter.c:2180 [inline]
  __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187
  ____bpf_clone_redirect net/core/filter.c:2460 [inline]
  bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432
  ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
  __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238
  bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
  __bpf_prog_run include/linux/filter.h:657 [inline]
  bpf_prog_run include/linux/filter.h:664 [inline]
  bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425
  bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058
  bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269
  __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678
  __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]
  __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]
  __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765
  x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 The Linux kernel CVE team has assigned CVE-2024-38538 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 4.19.324 with commit 3e01fc3c66e65d9afe98f1489047a1b2dd8741ca
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.286 with commit b2b7c43cd32080221bb233741bd6011983fe7c11
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.230 with commit 82090f94c723dab724b1c32db406091d40448a17
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.172 with commit c964429ef53f42098a6545a5dabeb1441c1e821d
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.93 with commit 28126b83f86ab9cc7936029c2dff845d3dcedba2
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.33 with commit 1abb371147905ba250b4cc0230c4be7e90bea4d5
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.8.12 with commit f482fd4ce919836a49012b2d31b00fc36e2488f2
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.9.3 with commit 5b5d669f569807c7ab07546e73c0741845a2547a
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.10 with commit 8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38538
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bridge/br_device.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3e01fc3c66e65d9afe98f1489047a1b2dd8741ca
 	https://git.kernel.org/stable/c/b2b7c43cd32080221bb233741bd6011983fe7c11
 	https://git.kernel.org/stable/c/82090f94c723dab724b1c32db406091d40448a17
 	https://git.kernel.org/stable/c/c964429ef53f42098a6545a5dabeb1441c1e821d
 	https://git.kernel.org/stable/c/28126b83f86ab9cc7936029c2dff845d3dcedba2
 	https://git.kernel.org/stable/c/1abb371147905ba250b4cc0230c4be7e90bea4d5
 	https://git.kernel.org/stable/c/f482fd4ce919836a49012b2d31b00fc36e2488f2
 	https://git.kernel.org/stable/c/5b5d669f569807c7ab07546e73c0741845a2547a
 	https://git.kernel.org/stable/c/8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38538: net: bridge: xmit: make sure we have at least eth header len bytes

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: bridge: xmit: make sure we have at least eth header len bytes

	syzbot triggered an uninit value[1] error in bridge device's xmit path
	by sending a short (less than ETH_HLEN bytes) skb. To fix it check if
	we can actually pull that amount instead of assuming.

	Tested with dropwatch:
	drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)
	origin: software
	timestamp: Mon May 13 11:31:53 2024 778214037 nsec
	protocol: 0x88a8
	length: 2
	original length: 2
	drop reason: PKT_TOO_SMALL

	[1]
	BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
	br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
	__netdev_start_xmit include/linux/netdevice.h:4903 [inline]
	netdev_start_xmit include/linux/netdevice.h:4917 [inline]
	xmit_one net/core/dev.c:3531 [inline]
	dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547
	__dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341
	dev_queue_xmit include/linux/netdevice.h:3091 [inline]
	__bpf_tx_skb net/core/filter.c:2136 [inline]
	__bpf_redirect_common net/core/filter.c:2180 [inline]
	__bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187
	____bpf_clone_redirect net/core/filter.c:2460 [inline]
	bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432
	___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
	__bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238
	bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
	__bpf_prog_run include/linux/filter.h:657 [inline]
	bpf_prog_run include/linux/filter.h:664 [inline]
	bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425
	bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058
	bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269
	__sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678
	__do_sys_bpf kernel/bpf/syscall.c:5767 [inline]
	__se_sys_bpf kernel/bpf/syscall.c:5765 [inline]
	__x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765
	x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	The Linux kernel CVE team has assigned CVE-2024-38538 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 4.19.324 with commit 3e01fc3c66e65d9afe98f1489047a1b2dd8741ca
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.286 with commit b2b7c43cd32080221bb233741bd6011983fe7c11
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.230 with commit 82090f94c723dab724b1c32db406091d40448a17
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.172 with commit c964429ef53f42098a6545a5dabeb1441c1e821d
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.93 with commit 28126b83f86ab9cc7936029c2dff845d3dcedba2
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.33 with commit 1abb371147905ba250b4cc0230c4be7e90bea4d5
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.8.12 with commit f482fd4ce919836a49012b2d31b00fc36e2488f2
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.9.3 with commit 5b5d669f569807c7ab07546e73c0741845a2547a
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.10 with commit 8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38538
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bridge/br_device.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3e01fc3c66e65d9afe98f1489047a1b2dd8741ca
	https://git.kernel.org/stable/c/b2b7c43cd32080221bb233741bd6011983fe7c11
	https://git.kernel.org/stable/c/82090f94c723dab724b1c32db406091d40448a17
	https://git.kernel.org/stable/c/c964429ef53f42098a6545a5dabeb1441c1e821d
	https://git.kernel.org/stable/c/28126b83f86ab9cc7936029c2dff845d3dcedba2
	https://git.kernel.org/stable/c/1abb371147905ba250b4cc0230c4be7e90bea4d5
	https://git.kernel.org/stable/c/f482fd4ce919836a49012b2d31b00fc36e2488f2
	https://git.kernel.org/stable/c/5b5d669f569807c7ab07546e73c0741845a2547a
	https://git.kernel.org/stable/c/8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc