cve/published/2024/CVE-2024-50033.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50033: slip: make slhc_remember() more robust against malicious packets

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 slip: make slhc_remember() more robust against malicious packets

 syzbot found that slhc_remember() was missing checks against
 malicious packets [1].

 slhc_remember() only checked the size of the packet was at least 20,
 which is not good enough.

 We need to make sure the packet includes the IPv4 and TCP header
 that are supposed to be carried.

 Add iph and th pointers to make the code more readable.

 [1]

 BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
   slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
   ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455
   ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]
   ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212
   ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327
   pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
   sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
   __release_sock+0x1da/0x330 net/core/sock.c:3072
   release_sock+0x6b/0x250 net/core/sock.c:3626
   pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
   sock_sendmsg_nosec net/socket.c:729 [inline]
   __sock_sendmsg+0x30f/0x380 net/socket.c:744
   ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
   ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
   __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
   __do_sys_sendmmsg net/socket.c:2771 [inline]
   __se_sys_sendmmsg net/socket.c:2768 [inline]
   __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
   x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 Uninit was created at:
   slab_post_alloc_hook mm/slub.c:4091 [inline]
   slab_alloc_node mm/slub.c:4134 [inline]
   kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186
   kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
   __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
   alloc_skb include/linux/skbuff.h:1322 [inline]
   sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
   pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
   sock_sendmsg_nosec net/socket.c:729 [inline]
   __sock_sendmsg+0x30f/0x380 net/socket.c:744
   ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
   ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
   __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
   __do_sys_sendmmsg net/socket.c:2771 [inline]
   __se_sys_sendmmsg net/socket.c:2768 [inline]
   __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
   x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

 The Linux kernel CVE team has assigned CVE-2024-50033 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 5.4.285 with commit ba6501ea06462d6404d57d5644cf2854db38e7d7
 	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 5.10.227 with commit 36b054324d18e51cf466134e13b6fbe3c91f52af
 	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 5.15.168 with commit 5e336384cc9b608e0551f99c3d87316ca3b0e51a
 	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 6.1.113 with commit ff5e0f895315706e4ca5a19df15be6866cee4f5d
 	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 6.6.57 with commit 8bb79eb1db85a10865f0d4dd15b013def3f2d246
 	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 6.11.4 with commit 29e8d96d44f51cf89a62dd042be35d052833b95c
 	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 6.12 with commit 7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50033
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/slip/slhc.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ba6501ea06462d6404d57d5644cf2854db38e7d7
 	https://git.kernel.org/stable/c/36b054324d18e51cf466134e13b6fbe3c91f52af
 	https://git.kernel.org/stable/c/5e336384cc9b608e0551f99c3d87316ca3b0e51a
 	https://git.kernel.org/stable/c/ff5e0f895315706e4ca5a19df15be6866cee4f5d
 	https://git.kernel.org/stable/c/8bb79eb1db85a10865f0d4dd15b013def3f2d246
 	https://git.kernel.org/stable/c/29e8d96d44f51cf89a62dd042be35d052833b95c
 	https://git.kernel.org/stable/c/7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50033: slip: make slhc_remember() more robust against malicious packets

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	slip: make slhc_remember() more robust against malicious packets

	syzbot found that slhc_remember() was missing checks against
	malicious packets [1].

	slhc_remember() only checked the size of the packet was at least 20,
	which is not good enough.

	We need to make sure the packet includes the IPv4 and TCP header
	that are supposed to be carried.

	Add iph and th pointers to make the code more readable.

	[1]

	BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
	slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
	ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455
	ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]
	ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212
	ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327
	pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
	sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
	__release_sock+0x1da/0x330 net/core/sock.c:3072
	release_sock+0x6b/0x250 net/core/sock.c:3626
	pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
	sock_sendmsg_nosec net/socket.c:729 [inline]
	__sock_sendmsg+0x30f/0x380 net/socket.c:744
	____sys_sendmsg+0x903/0xb60 net/socket.c:2602
	___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
	__sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
	__do_sys_sendmmsg net/socket.c:2771 [inline]
	__se_sys_sendmmsg net/socket.c:2768 [inline]
	__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
	x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Uninit was created at:
	slab_post_alloc_hook mm/slub.c:4091 [inline]
	slab_alloc_node mm/slub.c:4134 [inline]
	kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186
	kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
	__alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
	alloc_skb include/linux/skbuff.h:1322 [inline]
	sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
	pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
	sock_sendmsg_nosec net/socket.c:729 [inline]
	__sock_sendmsg+0x30f/0x380 net/socket.c:744
	____sys_sendmsg+0x903/0xb60 net/socket.c:2602
	___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
	__sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
	__do_sys_sendmmsg net/socket.c:2771 [inline]
	__se_sys_sendmmsg net/socket.c:2768 [inline]
	__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
	x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

	The Linux kernel CVE team has assigned CVE-2024-50033 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 5.4.285 with commit ba6501ea06462d6404d57d5644cf2854db38e7d7
	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 5.10.227 with commit 36b054324d18e51cf466134e13b6fbe3c91f52af
	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 5.15.168 with commit 5e336384cc9b608e0551f99c3d87316ca3b0e51a
	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 6.1.113 with commit ff5e0f895315706e4ca5a19df15be6866cee4f5d
	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 6.6.57 with commit 8bb79eb1db85a10865f0d4dd15b013def3f2d246
	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 6.11.4 with commit 29e8d96d44f51cf89a62dd042be35d052833b95c
	Issue introduced in 3.2 with commit b5451d783ade99308dfccdf5ca284ed07affa4ff and fixed in 6.12 with commit 7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50033
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/slip/slhc.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ba6501ea06462d6404d57d5644cf2854db38e7d7
	https://git.kernel.org/stable/c/36b054324d18e51cf466134e13b6fbe3c91f52af
	https://git.kernel.org/stable/c/5e336384cc9b608e0551f99c3d87316ca3b0e51a
	https://git.kernel.org/stable/c/ff5e0f895315706e4ca5a19df15be6866cee4f5d
	https://git.kernel.org/stable/c/8bb79eb1db85a10865f0d4dd15b013def3f2d246
	https://git.kernel.org/stable/c/29e8d96d44f51cf89a62dd042be35d052833b95c
	https://git.kernel.org/stable/c/7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c