cve/published/2024/CVE-2024-41091.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41091: tun: add missing verification for short frame

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tun: add missing verification for short frame

 The cited commit missed to check against the validity of the frame length
 in the tun_xdp_one() path, which could cause a corrupted skb to be sent
 downstack. Even before the skb is transmitted, the
 tun_xdp_one-->eth_type_trans() may access the Ethernet header although it
 can be less than ETH_HLEN. Once transmitted, this could either cause
 out-of-bound access beyond the actual length, or confuse the underlayer
 with incorrect or inconsistent header length in the skb metadata.

 In the alternative path, tun_get_user() already prohibits short frame which
 has the length less than Ethernet header size from being transmitted for
 IFF_TAP.

 This is to drop any frame shorter than the Ethernet header size just like
 how tun_get_user() does.

 CVE: CVE-2024-41091

 The Linux kernel CVE team has assigned CVE-2024-41091 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 5.4.281 with commit 32b0aaba5dbc85816898167d9b5d45a22eae82e9
 	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 5.10.223 with commit 6100e0237204890269e3f934acfc50d35fd6f319
 	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 5.15.164 with commit 589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2
 	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 6.1.102 with commit ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146
 	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 6.6.43 with commit d5ad89b7d01ed4e66fd04734fc63d6e78536692a
 	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 6.9.12 with commit a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb
 	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 6.10.2 with commit 8418f55302fa1d2eeb73e16e345167e545c598a5
 	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 6.11 with commit 049584807f1d797fc3078b68035450a9769eb5c3

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41091
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/tun.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9
 	https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319
 	https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2
 	https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146
 	https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a
 	https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb
 	https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5
 	https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41091: tun: add missing verification for short frame

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tun: add missing verification for short frame

	The cited commit missed to check against the validity of the frame length
	in the tun_xdp_one() path, which could cause a corrupted skb to be sent
	downstack. Even before the skb is transmitted, the
	tun_xdp_one-->eth_type_trans() may access the Ethernet header although it
	can be less than ETH_HLEN. Once transmitted, this could either cause
	out-of-bound access beyond the actual length, or confuse the underlayer
	with incorrect or inconsistent header length in the skb metadata.

	In the alternative path, tun_get_user() already prohibits short frame which
	has the length less than Ethernet header size from being transmitted for
	IFF_TAP.

	This is to drop any frame shorter than the Ethernet header size just like
	how tun_get_user() does.

	CVE: CVE-2024-41091

	The Linux kernel CVE team has assigned CVE-2024-41091 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 5.4.281 with commit 32b0aaba5dbc85816898167d9b5d45a22eae82e9
	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 5.10.223 with commit 6100e0237204890269e3f934acfc50d35fd6f319
	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 5.15.164 with commit 589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2
	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 6.1.102 with commit ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146
	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 6.6.43 with commit d5ad89b7d01ed4e66fd04734fc63d6e78536692a
	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 6.9.12 with commit a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb
	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 6.10.2 with commit 8418f55302fa1d2eeb73e16e345167e545c598a5
	Issue introduced in 4.20 with commit 043d222f93ab8c76b56a3b315cd8692e35affb6c and fixed in 6.11 with commit 049584807f1d797fc3078b68035450a9769eb5c3

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41091
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/tun.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9
	https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319
	https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2
	https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146
	https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a
	https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb
	https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5
	https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3