| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-42114: wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values |
| |
| syzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM |
| to 2^31. |
| |
| We had a similar issue in sch_fq, fixed with commit |
| d9e15a273306 ("pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM") |
| |
| watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24] |
| Modules linked in: |
| irq event stamp: 131135 |
| hardirqs last enabled at (131134): [<ffff80008ae8778c>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline] |
| hardirqs last enabled at (131134): [<ffff80008ae8778c>] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95 |
| hardirqs last disabled at (131135): [<ffff80008ae85378>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] |
| hardirqs last disabled at (131135): [<ffff80008ae85378>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 |
| softirqs last enabled at (125892): [<ffff80008907e82c>] neigh_hh_init net/core/neighbour.c:1538 [inline] |
| softirqs last enabled at (125892): [<ffff80008907e82c>] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553 |
| softirqs last disabled at (125896): [<ffff80008904166c>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 |
| CPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 |
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 |
| Workqueue: mld mld_ifc_work |
| pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) |
| pc : __list_del include/linux/list.h:195 [inline] |
| pc : __list_del_entry include/linux/list.h:218 [inline] |
| pc : list_move_tail include/linux/list.h:310 [inline] |
| pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline] |
| pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854 |
| lr : __list_del_entry include/linux/list.h:218 [inline] |
| lr : list_move_tail include/linux/list.h:310 [inline] |
| lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline] |
| lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854 |
| sp : ffff800093d36700 |
| x29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000 |
| x26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0 |
| x23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0 |
| x20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0 |
| x17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8 |
| x14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff |
| x11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000 |
| x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 |
| x5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc |
| x2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470 |
| Call trace: |
| __list_del include/linux/list.h:195 [inline] |
| __list_del_entry include/linux/list.h:218 [inline] |
| list_move_tail include/linux/list.h:310 [inline] |
| fq_tin_dequeue include/net/fq_impl.h:112 [inline] |
| ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854 |
| wake_tx_push_queue net/mac80211/util.c:294 [inline] |
| ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315 |
| drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline] |
| schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline] |
| ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664 |
| ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966 |
| ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062 |
| __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338 |
| ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532 |
| __netdev_start_xmit include/linux/netdevice.h:4903 [inline] |
| netdev_start_xmit include/linux/netdevice.h:4917 [inline] |
| xmit_one net/core/dev.c:3531 [inline] |
| dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547 |
| __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341 |
| dev_queue_xmit include/linux/netdevice.h:3091 [inline] |
| neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563 |
| neigh_output include/net/neighbour.h:542 [inline] |
| ip6_finish_output2+0x104c/0x1ee8 net/ipv6/ip6_output.c:137 |
| ip6_finish_output+0x428/0x7a0 net/ipv6/ip6_output.c:222 |
| NF_HOOK_COND include/linux/netfilter.h:303 [inline] |
| ip6_output+0x270/0x594 net/ipv6/ip6_output.c:243 |
| dst_output include/net/dst.h:450 [inline] |
| NF_HOOK+0x160/0x4f0 include/linux/netfilter.h:314 |
| mld_sendpack+0x7b4/0x10f4 net/ipv6/mcast.c:1818 |
| mld_send_cr net/ipv6/mcast.c:2119 [inline] |
| mld_ifc_work+0x840/0xd0c net/ipv6/mcast.c:2650 |
| process_one_work+0x7b8/0x15d4 kernel/workqueue.c:3267 |
| process_scheduled_works kernel/workqueue.c:3348 [inline] |
| worker_thread+0x938/0xef4 kernel/workqueue.c:3429 |
| kthread+0x288/0x310 kernel/kthread.c:388 |
| ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 |
| |
| The Linux kernel CVE team has assigned CVE-2024-42114 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 4.18 with commit 52539ca89f365d3db530535fbffa88a3cca4d2ec and fixed in 5.10.224 with commit 80ac0cc9c0bef984e29637b1efa93d7214b42f53 |
| Issue introduced in 4.18 with commit 52539ca89f365d3db530535fbffa88a3cca4d2ec and fixed in 5.15.165 with commit 33ac5a4eb3d4bea2146658f1b6d1fa86d62d2b22 |
| Issue introduced in 4.18 with commit 52539ca89f365d3db530535fbffa88a3cca4d2ec and fixed in 6.1.106 with commit 3fc06f6d142d2840735543216a60d0a8c345bdec |
| Issue introduced in 4.18 with commit 52539ca89f365d3db530535fbffa88a3cca4d2ec and fixed in 6.6.47 with commit 8a3ac7fb36962c34698f884bd697938054ff2afa |
| Issue introduced in 4.18 with commit 52539ca89f365d3db530535fbffa88a3cca4d2ec and fixed in 6.9.9 with commit e87c2f098f52aa2fe20258a5bb1738d6a74e9ed7 |
| Issue introduced in 4.18 with commit 52539ca89f365d3db530535fbffa88a3cca4d2ec and fixed in 6.10 with commit d1cba2ea8121e7fdbe1328cea782876b1dd80993 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-42114 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/wireless/nl80211.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/80ac0cc9c0bef984e29637b1efa93d7214b42f53 |
| https://git.kernel.org/stable/c/33ac5a4eb3d4bea2146658f1b6d1fa86d62d2b22 |
| https://git.kernel.org/stable/c/3fc06f6d142d2840735543216a60d0a8c345bdec |
| https://git.kernel.org/stable/c/8a3ac7fb36962c34698f884bd697938054ff2afa |
| https://git.kernel.org/stable/c/e87c2f098f52aa2fe20258a5bb1738d6a74e9ed7 |
| https://git.kernel.org/stable/c/d1cba2ea8121e7fdbe1328cea782876b1dd80993 |
