cve/published/2024/CVE-2024-42272.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-42272: sched: act_ct: take care of padding in struct zones_ht_key

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 sched: act_ct: take care of padding in struct zones_ht_key

 Blamed commit increased lookup key size from 2 bytes to 16 bytes,
 because zones_ht_key got a struct net pointer.

 Make sure rhashtable_lookup() is not using the padding bytes
 which are not initialized.

  BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
  BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
  BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
  BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
  BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329
   rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
   __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
   rhashtable_lookup include/linux/rhashtable.h:646 [inline]
   rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
   tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329
   tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408
   tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425
   tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488
   tcf_action_add net/sched/act_api.c:2061 [inline]
   tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118
   rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647
   netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550
   rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665
   netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
   netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357
   netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901
   sock_sendmsg_nosec net/socket.c:730 [inline]
   __sock_sendmsg+0x30f/0x380 net/socket.c:745
   ____sys_sendmsg+0x877/0xb60 net/socket.c:2597
   ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651
   __sys_sendmsg net/socket.c:2680 [inline]
   __do_sys_sendmsg net/socket.c:2689 [inline]
   __se_sys_sendmsg net/socket.c:2687 [inline]
   __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687
   x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 Local variable key created at:
   tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324
   tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408

 The Linux kernel CVE team has assigned CVE-2024-42272 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.221 with commit 03f625505e27f709390a86c9b78d3707f4c23df8 and fixed in 5.10.224 with commit 7c03ab555eb1ba26c77fd7c25bdf44a0ac23edee
 	Issue introduced in 5.15.162 with commit aa1f81fe3a059bc984b230b5352ab89d06aa3c7b and fixed in 5.15.165 with commit 3ddefcb8f75e312535e2e7d5fef9932019ba60f2
 	Issue introduced in 6.1.96 with commit 2f82f75f843445daa81e8b2a76774b1348033ce6 and fixed in 6.1.104 with commit d06daf0ad645d9225a3ff6958dd82e1f3988fa64
 	Issue introduced in 6.6.36 with commit 9126fd82e9edc7b4796f756e4b258d34f17e5e4a and fixed in 6.6.45 with commit d7cc186d0973afce0e1237c37f7512c01981fb79
 	Issue introduced in 6.10 with commit 88c67aeb14070bab61d3dd8be96c8b42ebcaf53a and fixed in 6.10.4 with commit 3a5b68869dbe14f1157c6a24ac71923db060eeab
 	Issue introduced in 6.10 with commit 88c67aeb14070bab61d3dd8be96c8b42ebcaf53a and fixed in 6.11 with commit 2191a54f63225b548fd8346be3611c3219a24738
 	Issue introduced in 6.9.7 with commit b4382b854975ae96fbfcc83a1d79b5c063c1aaa8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-42272
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/sched/act_ct.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7c03ab555eb1ba26c77fd7c25bdf44a0ac23edee
 	https://git.kernel.org/stable/c/3ddefcb8f75e312535e2e7d5fef9932019ba60f2
 	https://git.kernel.org/stable/c/d06daf0ad645d9225a3ff6958dd82e1f3988fa64
 	https://git.kernel.org/stable/c/d7cc186d0973afce0e1237c37f7512c01981fb79
 	https://git.kernel.org/stable/c/3a5b68869dbe14f1157c6a24ac71923db060eeab
 	https://git.kernel.org/stable/c/2191a54f63225b548fd8346be3611c3219a24738
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-42272: sched: act_ct: take care of padding in struct zones_ht_key

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	sched: act_ct: take care of padding in struct zones_ht_key

	Blamed commit increased lookup key size from 2 bytes to 16 bytes,
	because zones_ht_key got a struct net pointer.

	Make sure rhashtable_lookup() is not using the padding bytes
	which are not initialized.

	BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
	BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
	BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
	BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
	BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329
	rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
	__rhashtable_lookup include/linux/rhashtable.h:607 [inline]
	rhashtable_lookup include/linux/rhashtable.h:646 [inline]
	rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
	tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329
	tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408
	tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425
	tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488
	tcf_action_add net/sched/act_api.c:2061 [inline]
	tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118
	rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647
	netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550
	rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665
	netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
	netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357
	netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x30f/0x380 net/socket.c:745
	____sys_sendmsg+0x877/0xb60 net/socket.c:2597
	___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651
	__sys_sendmsg net/socket.c:2680 [inline]
	__do_sys_sendmsg net/socket.c:2689 [inline]
	__se_sys_sendmsg net/socket.c:2687 [inline]
	__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687
	x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Local variable key created at:
	tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324
	tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408

	The Linux kernel CVE team has assigned CVE-2024-42272 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.221 with commit 03f625505e27f709390a86c9b78d3707f4c23df8 and fixed in 5.10.224 with commit 7c03ab555eb1ba26c77fd7c25bdf44a0ac23edee
	Issue introduced in 5.15.162 with commit aa1f81fe3a059bc984b230b5352ab89d06aa3c7b and fixed in 5.15.165 with commit 3ddefcb8f75e312535e2e7d5fef9932019ba60f2
	Issue introduced in 6.1.96 with commit 2f82f75f843445daa81e8b2a76774b1348033ce6 and fixed in 6.1.104 with commit d06daf0ad645d9225a3ff6958dd82e1f3988fa64
	Issue introduced in 6.6.36 with commit 9126fd82e9edc7b4796f756e4b258d34f17e5e4a and fixed in 6.6.45 with commit d7cc186d0973afce0e1237c37f7512c01981fb79
	Issue introduced in 6.10 with commit 88c67aeb14070bab61d3dd8be96c8b42ebcaf53a and fixed in 6.10.4 with commit 3a5b68869dbe14f1157c6a24ac71923db060eeab
	Issue introduced in 6.10 with commit 88c67aeb14070bab61d3dd8be96c8b42ebcaf53a and fixed in 6.11 with commit 2191a54f63225b548fd8346be3611c3219a24738
	Issue introduced in 6.9.7 with commit b4382b854975ae96fbfcc83a1d79b5c063c1aaa8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-42272
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/sched/act_ct.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7c03ab555eb1ba26c77fd7c25bdf44a0ac23edee
	https://git.kernel.org/stable/c/3ddefcb8f75e312535e2e7d5fef9932019ba60f2
	https://git.kernel.org/stable/c/d06daf0ad645d9225a3ff6958dd82e1f3988fa64
	https://git.kernel.org/stable/c/d7cc186d0973afce0e1237c37f7512c01981fb79
	https://git.kernel.org/stable/c/3a5b68869dbe14f1157c6a24ac71923db060eeab
	https://git.kernel.org/stable/c/2191a54f63225b548fd8346be3611c3219a24738