cve/published/2024/CVE-2024-45001.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-45001: net: mana: Fix RX buf alloc_size alignment and atomic op panic

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: mana: Fix RX buf alloc_size alignment and atomic op panic

 The MANA driver's RX buffer alloc_size is passed into napi_build_skb() to
 create SKB. skb_shinfo(skb) is located at the end of skb, and its alignment
 is affected by the alloc_size passed into napi_build_skb(). The size needs
 to be aligned properly for better performance and atomic operations.
 Otherwise, on ARM64 CPU, for certain MTU settings like 4000, atomic
 operations may panic on the skb_shinfo(skb)->dataref due to alignment fault.

 To fix this bug, add proper alignment to the alloc_size calculation.

 Sample panic info:
 [  253.298819] Unable to handle kernel paging request at virtual address ffff000129ba5cce
 [  253.300900] Mem abort info:
 [  253.301760]   ESR = 0x0000000096000021
 [  253.302825]   EC = 0x25: DABT (current EL), IL = 32 bits
 [  253.304268]   SET = 0, FnV = 0
 [  253.305172]   EA = 0, S1PTW = 0
 [  253.306103]   FSC = 0x21: alignment fault
 Call trace:
  __skb_clone+0xfc/0x198
  skb_clone+0x78/0xe0
  raw6_local_deliver+0xfc/0x228
  ip6_protocol_deliver_rcu+0x80/0x500
  ip6_input_finish+0x48/0x80
  ip6_input+0x48/0xc0
  ip6_sublist_rcv_finish+0x50/0x78
  ip6_sublist_rcv+0x1cc/0x2b8
  ipv6_list_rcv+0x100/0x150
  __netif_receive_skb_list_core+0x180/0x220
  netif_receive_skb_list_internal+0x198/0x2a8
  __napi_poll+0x138/0x250
  net_rx_action+0x148/0x330
  handle_softirqs+0x12c/0x3a0

 The Linux kernel CVE team has assigned CVE-2024-45001 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit 80f6215b450eb8e92d8b1f117abf5ecf867f963e and fixed in 6.6.48 with commit 65f20b174ec0172f2d6bcfd8533ab9c9e7e347fa
 	Issue introduced in 6.4 with commit 80f6215b450eb8e92d8b1f117abf5ecf867f963e and fixed in 6.10.7 with commit e6bea6a45f8a401f3d5a430bc81814f0cc8848cf
 	Issue introduced in 6.4 with commit 80f6215b450eb8e92d8b1f117abf5ecf867f963e and fixed in 6.11 with commit 32316f676b4ee87c0404d333d248ccf777f739bc

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-45001
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/microsoft/mana/mana_en.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/65f20b174ec0172f2d6bcfd8533ab9c9e7e347fa
 	https://git.kernel.org/stable/c/e6bea6a45f8a401f3d5a430bc81814f0cc8848cf
 	https://git.kernel.org/stable/c/32316f676b4ee87c0404d333d248ccf777f739bc
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-45001: net: mana: Fix RX buf alloc_size alignment and atomic op panic

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: mana: Fix RX buf alloc_size alignment and atomic op panic

	The MANA driver's RX buffer alloc_size is passed into napi_build_skb() to
	create SKB. skb_shinfo(skb) is located at the end of skb, and its alignment
	is affected by the alloc_size passed into napi_build_skb(). The size needs
	to be aligned properly for better performance and atomic operations.
	Otherwise, on ARM64 CPU, for certain MTU settings like 4000, atomic
	operations may panic on the skb_shinfo(skb)->dataref due to alignment fault.

	To fix this bug, add proper alignment to the alloc_size calculation.

	Sample panic info:
	[ 253.298819] Unable to handle kernel paging request at virtual address ffff000129ba5cce
	[ 253.300900] Mem abort info:
	[ 253.301760] ESR = 0x0000000096000021
	[ 253.302825] EC = 0x25: DABT (current EL), IL = 32 bits
	[ 253.304268] SET = 0, FnV = 0
	[ 253.305172] EA = 0, S1PTW = 0
	[ 253.306103] FSC = 0x21: alignment fault
	Call trace:
	__skb_clone+0xfc/0x198
	skb_clone+0x78/0xe0
	raw6_local_deliver+0xfc/0x228
	ip6_protocol_deliver_rcu+0x80/0x500
	ip6_input_finish+0x48/0x80
	ip6_input+0x48/0xc0
	ip6_sublist_rcv_finish+0x50/0x78
	ip6_sublist_rcv+0x1cc/0x2b8
	ipv6_list_rcv+0x100/0x150
	__netif_receive_skb_list_core+0x180/0x220
	netif_receive_skb_list_internal+0x198/0x2a8
	__napi_poll+0x138/0x250
	net_rx_action+0x148/0x330
	handle_softirqs+0x12c/0x3a0

	The Linux kernel CVE team has assigned CVE-2024-45001 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit 80f6215b450eb8e92d8b1f117abf5ecf867f963e and fixed in 6.6.48 with commit 65f20b174ec0172f2d6bcfd8533ab9c9e7e347fa
	Issue introduced in 6.4 with commit 80f6215b450eb8e92d8b1f117abf5ecf867f963e and fixed in 6.10.7 with commit e6bea6a45f8a401f3d5a430bc81814f0cc8848cf
	Issue introduced in 6.4 with commit 80f6215b450eb8e92d8b1f117abf5ecf867f963e and fixed in 6.11 with commit 32316f676b4ee87c0404d333d248ccf777f739bc

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-45001
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/microsoft/mana/mana_en.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/65f20b174ec0172f2d6bcfd8533ab9c9e7e347fa
	https://git.kernel.org/stable/c/e6bea6a45f8a401f3d5a430bc81814f0cc8848cf
	https://git.kernel.org/stable/c/32316f676b4ee87c0404d333d248ccf777f739bc