cve/published/2024/CVE-2024-49978.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49978: gso: fix udp gso fraglist segmentation after pull from frag_list

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 gso: fix udp gso fraglist segmentation after pull from frag_list

 Detect gso fraglist skbs with corrupted geometry (see below) and
 pass these to skb_segment instead of skb_segment_list, as the first
 can segment them correctly.

 Valid SKB_GSO_FRAGLIST skbs
 - consist of two or more segments
 - the head_skb holds the protocol headers plus first gso_size
 - one or more frag_list skbs hold exactly one segment
 - all but the last must be gso_size

 Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
 modify these skbs, breaking these invariants.

 In extreme cases they pull all data into skb linear. For UDP, this
 causes a NULL ptr deref in __udpv4_gso_segment_list_csum at
 udp_hdr(seg->next)->dest.

 Detect invalid geometry due to pull, by checking head_skb size.
 Don't just drop, as this may blackhole a destination. Convert to be
 able to pass to regular skb_segment.

 The Linux kernel CVE team has assigned CVE-2024-49978 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 6.1.113 with commit 080e6c9a3908de193a48f646c5ce1bfb15676ffc
 	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 6.6.55 with commit af3122f5fdc0d00581d6e598a668df6bf54c9daa
 	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 6.10.14 with commit 33e28acf42ee863f332a958bfc2f1a284a3659df
 	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 6.11.3 with commit 3cd00d2e3655fad3bda96dc1ebf17b6495f86fea
 	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 6.12 with commit a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49978
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/udp_offload.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/080e6c9a3908de193a48f646c5ce1bfb15676ffc
 	https://git.kernel.org/stable/c/af3122f5fdc0d00581d6e598a668df6bf54c9daa
 	https://git.kernel.org/stable/c/33e28acf42ee863f332a958bfc2f1a284a3659df
 	https://git.kernel.org/stable/c/3cd00d2e3655fad3bda96dc1ebf17b6495f86fea
 	https://git.kernel.org/stable/c/a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49978: gso: fix udp gso fraglist segmentation after pull from frag_list

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	gso: fix udp gso fraglist segmentation after pull from frag_list

	Detect gso fraglist skbs with corrupted geometry (see below) and
	pass these to skb_segment instead of skb_segment_list, as the first
	can segment them correctly.

	Valid SKB_GSO_FRAGLIST skbs
	- consist of two or more segments
	- the head_skb holds the protocol headers plus first gso_size
	- one or more frag_list skbs hold exactly one segment
	- all but the last must be gso_size

	Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
	modify these skbs, breaking these invariants.

	In extreme cases they pull all data into skb linear. For UDP, this
	causes a NULL ptr deref in __udpv4_gso_segment_list_csum at
	udp_hdr(seg->next)->dest.

	Detect invalid geometry due to pull, by checking head_skb size.
	Don't just drop, as this may blackhole a destination. Convert to be
	able to pass to regular skb_segment.

	The Linux kernel CVE team has assigned CVE-2024-49978 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 6.1.113 with commit 080e6c9a3908de193a48f646c5ce1bfb15676ffc
	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 6.6.55 with commit af3122f5fdc0d00581d6e598a668df6bf54c9daa
	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 6.10.14 with commit 33e28acf42ee863f332a958bfc2f1a284a3659df
	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 6.11.3 with commit 3cd00d2e3655fad3bda96dc1ebf17b6495f86fea
	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 6.12 with commit a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49978
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/udp_offload.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/080e6c9a3908de193a48f646c5ce1bfb15676ffc
	https://git.kernel.org/stable/c/af3122f5fdc0d00581d6e598a668df6bf54c9daa
	https://git.kernel.org/stable/c/33e28acf42ee863f332a958bfc2f1a284a3659df
	https://git.kernel.org/stable/c/3cd00d2e3655fad3bda96dc1ebf17b6495f86fea
	https://git.kernel.org/stable/c/a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab