cve/published/2024/CVE-2024-42076.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-42076: net: can: j1939: Initialize unused data in j1939_send_one()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: can: j1939: Initialize unused data in j1939_send_one()

 syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()
 creates full frame including unused data, but it doesn't initialize
 it. This causes the kernel-infoleak issue. Fix this by initializing
 unused data.

 [1]
 BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
 BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
 BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
 BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
 BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
  instrument_copy_to_user include/linux/instrumented.h:114 [inline]
  copy_to_user_iter lib/iov_iter.c:24 [inline]
  iterate_ubuf include/linux/iov_iter.h:29 [inline]
  iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
  iterate_and_advance include/linux/iov_iter.h:271 [inline]
  _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
  copy_to_iter include/linux/uio.h:196 [inline]
  memcpy_to_msg include/linux/skbuff.h:4113 [inline]
  raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008
  sock_recvmsg_nosec net/socket.c:1046 [inline]
  sock_recvmsg+0x2c4/0x340 net/socket.c:1068
  ____sys_recvmsg+0x18a/0x620 net/socket.c:2803
  ___sys_recvmsg+0x223/0x840 net/socket.c:2845
  do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939
  __sys_recvmmsg net/socket.c:3018 [inline]
  __do_sys_recvmmsg net/socket.c:3041 [inline]
  __se_sys_recvmmsg net/socket.c:3034 [inline]
  __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034
  x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 Uninit was created at:
  slab_post_alloc_hook mm/slub.c:3804 [inline]
  slab_alloc_node mm/slub.c:3845 [inline]
  kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
  __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
  alloc_skb include/linux/skbuff.h:1313 [inline]
  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
  sock_alloc_send_skb include/net/sock.h:1842 [inline]
  j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]
  j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]
  j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:745
  ____sys_sendmsg+0x877/0xb60 net/socket.c:2584
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
  __sys_sendmsg net/socket.c:2667 [inline]
  __do_sys_sendmsg net/socket.c:2676 [inline]
  __se_sys_sendmsg net/socket.c:2674 [inline]
  __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
  x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 Bytes 12-15 of 16 are uninitialized
 Memory access of size 16 starts at ffff888120969690
 Data copied to user address 00000000200017c0

 CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024

 The Linux kernel CVE team has assigned CVE-2024-42076 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 5.4.279 with commit 5e4ed38eb17eaca42de57d500cc0f9668d2b6abf
 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 5.10.221 with commit a2a0ebff7fdeb2f66e29335adf64b9e457300dd4
 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 5.15.162 with commit 4c5dc3927e17489c1cae6f48c0d5e4acb4cae01f
 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.1.97 with commit f97cbce633923588307049c4aef9feb2987e371b
 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.6.37 with commit ab2a683938ba4416d389c2f5651cbbb2c41b779f
 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.9.8 with commit ba7e5ae8208ac07d8e1eace0951a34c169a2d298
 	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.10 with commit b7cdf1dd5d2a2d8200efd98d1893684db48fe134

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-42076
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/can/j1939/main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5e4ed38eb17eaca42de57d500cc0f9668d2b6abf
 	https://git.kernel.org/stable/c/a2a0ebff7fdeb2f66e29335adf64b9e457300dd4
 	https://git.kernel.org/stable/c/4c5dc3927e17489c1cae6f48c0d5e4acb4cae01f
 	https://git.kernel.org/stable/c/f97cbce633923588307049c4aef9feb2987e371b
 	https://git.kernel.org/stable/c/ab2a683938ba4416d389c2f5651cbbb2c41b779f
 	https://git.kernel.org/stable/c/ba7e5ae8208ac07d8e1eace0951a34c169a2d298
 	https://git.kernel.org/stable/c/b7cdf1dd5d2a2d8200efd98d1893684db48fe134
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-42076: net: can: j1939: Initialize unused data in j1939_send_one()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: can: j1939: Initialize unused data in j1939_send_one()

	syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()
	creates full frame including unused data, but it doesn't initialize
	it. This causes the kernel-infoleak issue. Fix this by initializing
	unused data.

	[1]
	BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
	BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
	BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
	BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
	BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
	BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
	instrument_copy_to_user include/linux/instrumented.h:114 [inline]
	copy_to_user_iter lib/iov_iter.c:24 [inline]
	iterate_ubuf include/linux/iov_iter.h:29 [inline]
	iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
	iterate_and_advance include/linux/iov_iter.h:271 [inline]
	_copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
	copy_to_iter include/linux/uio.h:196 [inline]
	memcpy_to_msg include/linux/skbuff.h:4113 [inline]
	raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008
	sock_recvmsg_nosec net/socket.c:1046 [inline]
	sock_recvmsg+0x2c4/0x340 net/socket.c:1068
	____sys_recvmsg+0x18a/0x620 net/socket.c:2803
	___sys_recvmsg+0x223/0x840 net/socket.c:2845
	do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939
	__sys_recvmmsg net/socket.c:3018 [inline]
	__do_sys_recvmmsg net/socket.c:3041 [inline]
	__se_sys_recvmmsg net/socket.c:3034 [inline]
	__x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034
	x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Uninit was created at:
	slab_post_alloc_hook mm/slub.c:3804 [inline]
	slab_alloc_node mm/slub.c:3845 [inline]
	kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
	kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
	__alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
	alloc_skb include/linux/skbuff.h:1313 [inline]
	alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
	sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
	sock_alloc_send_skb include/net/sock.h:1842 [inline]
	j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]
	j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]
	j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x30f/0x380 net/socket.c:745
	____sys_sendmsg+0x877/0xb60 net/socket.c:2584
	___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
	__sys_sendmsg net/socket.c:2667 [inline]
	__do_sys_sendmsg net/socket.c:2676 [inline]
	__se_sys_sendmsg net/socket.c:2674 [inline]
	__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
	x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Bytes 12-15 of 16 are uninitialized
	Memory access of size 16 starts at ffff888120969690
	Data copied to user address 00000000200017c0

	CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024

	The Linux kernel CVE team has assigned CVE-2024-42076 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 5.4.279 with commit 5e4ed38eb17eaca42de57d500cc0f9668d2b6abf
	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 5.10.221 with commit a2a0ebff7fdeb2f66e29335adf64b9e457300dd4
	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 5.15.162 with commit 4c5dc3927e17489c1cae6f48c0d5e4acb4cae01f
	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.1.97 with commit f97cbce633923588307049c4aef9feb2987e371b
	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.6.37 with commit ab2a683938ba4416d389c2f5651cbbb2c41b779f
	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.9.8 with commit ba7e5ae8208ac07d8e1eace0951a34c169a2d298
	Issue introduced in 5.4 with commit 9d71dd0c70099914fcd063135da3c580865e924c and fixed in 6.10 with commit b7cdf1dd5d2a2d8200efd98d1893684db48fe134

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-42076
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/can/j1939/main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5e4ed38eb17eaca42de57d500cc0f9668d2b6abf
	https://git.kernel.org/stable/c/a2a0ebff7fdeb2f66e29335adf64b9e457300dd4
	https://git.kernel.org/stable/c/4c5dc3927e17489c1cae6f48c0d5e4acb4cae01f
	https://git.kernel.org/stable/c/f97cbce633923588307049c4aef9feb2987e371b
	https://git.kernel.org/stable/c/ab2a683938ba4416d389c2f5651cbbb2c41b779f
	https://git.kernel.org/stable/c/ba7e5ae8208ac07d8e1eace0951a34c169a2d298
	https://git.kernel.org/stable/c/b7cdf1dd5d2a2d8200efd98d1893684db48fe134