cve/published/2024/CVE-2024-50256.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50256: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()

 I got a syzbot report without a repro [1] crashing in nf_send_reset6()

 I think the issue is that dev->hard_header_len is zero, and we attempt
 later to push an Ethernet header.

 Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c.

 [1]

 skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun
  kernel BUG at net/core/skbuff.c:206 !
 Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
 CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
  RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]
  RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216
 Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
 RSP: 0018:ffffc900045269b0 EFLAGS: 00010282
 RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800
 RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000
 RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc
 R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140
 R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c
 FS:  00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <TASK>
   skb_push+0xe5/0x100 net/core/skbuff.c:2636
   eth_header+0x38/0x1f0 net/ethernet/eth.c:83
   dev_hard_header include/linux/netdevice.h:3208 [inline]
   nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358
   nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48
   expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
   nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288
   nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161
   nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
   nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
   nf_hook include/linux/netfilter.h:269 [inline]
   NF_HOOK include/linux/netfilter.h:312 [inline]
   br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184
   nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
   nf_hook_bridge_pre net/bridge/br_input.c:277 [inline]
   br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424
   __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562
   __netif_receive_skb_one_core net/core/dev.c:5666 [inline]
   __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781
   netif_receive_skb_internal net/core/dev.c:5867 [inline]
   netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926
   tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550
   tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007
   tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053
   new_sync_write fs/read_write.c:590 [inline]
   vfs_write+0xa6d/0xc90 fs/read_write.c:683
   ksys_write+0x183/0x2b0 fs/read_write.c:736
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
 RIP: 0033:0x7fdbeeb7d1ff
 Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48
 RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
 RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff
 RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8
 RBP: 00007fdbeebf12be R08: 0000000000000000 R09: 0000000000000000
 R10: 000000000000008e R11: 0000000000000293 R12: 0000000000000000
 R13: 0000000000000000 R14: 00007fdbeed36058 R15: 00007ffc38de06e8
  </TASK>

 The Linux kernel CVE team has assigned CVE-2024-50256 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.18 with commit c8d7b98bec43faaa6583c3135030be5eb4693acb and fixed in 6.1.116 with commit 4f7b586aae53c2ed820661803da8ce18b1361921
 	Issue introduced in 3.18 with commit c8d7b98bec43faaa6583c3135030be5eb4693acb and fixed in 6.6.60 with commit fef63832317d9d24e1214cdd8f204d02ebdf8499
 	Issue introduced in 3.18 with commit c8d7b98bec43faaa6583c3135030be5eb4693acb and fixed in 6.11.7 with commit f85b057e34419e5ec0583a65078a11ccc1d4540a
 	Issue introduced in 3.18 with commit c8d7b98bec43faaa6583c3135030be5eb4693acb and fixed in 6.12 with commit 4ed234fe793f27a3b151c43d2106df2ff0d81aac

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50256
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv6/netfilter/nf_reject_ipv6.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4f7b586aae53c2ed820661803da8ce18b1361921
 	https://git.kernel.org/stable/c/fef63832317d9d24e1214cdd8f204d02ebdf8499
 	https://git.kernel.org/stable/c/f85b057e34419e5ec0583a65078a11ccc1d4540a
 	https://git.kernel.org/stable/c/4ed234fe793f27a3b151c43d2106df2ff0d81aac
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50256: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()

	I got a syzbot report without a repro [1] crashing in nf_send_reset6()

	I think the issue is that dev->hard_header_len is zero, and we attempt
	later to push an Ethernet header.

	Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c.

	[1]

	skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun
	kernel BUG at net/core/skbuff.c:206 !
	Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
	CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
	RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]
	RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216
	Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
	RSP: 0018:ffffc900045269b0 EFLAGS: 00010282
	RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800
	RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000
	RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc
	R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140
	R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c
	FS: 00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	skb_push+0xe5/0x100 net/core/skbuff.c:2636
	eth_header+0x38/0x1f0 net/ethernet/eth.c:83
	dev_hard_header include/linux/netdevice.h:3208 [inline]
	nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358
	nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48
	expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
	nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288
	nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161
	nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
	nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
	nf_hook include/linux/netfilter.h:269 [inline]
	NF_HOOK include/linux/netfilter.h:312 [inline]
	br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184
	nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
	nf_hook_bridge_pre net/bridge/br_input.c:277 [inline]
	br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424
	__netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562
	__netif_receive_skb_one_core net/core/dev.c:5666 [inline]
	__netif_receive_skb+0x12f/0x650 net/core/dev.c:5781
	netif_receive_skb_internal net/core/dev.c:5867 [inline]
	netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926
	tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550
	tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007
	tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053
	new_sync_write fs/read_write.c:590 [inline]
	vfs_write+0xa6d/0xc90 fs/read_write.c:683
	ksys_write+0x183/0x2b0 fs/read_write.c:736
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0033:0x7fdbeeb7d1ff
	Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48
	RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
	RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff
	RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8
	RBP: 00007fdbeebf12be R08: 0000000000000000 R09: 0000000000000000
	R10: 000000000000008e R11: 0000000000000293 R12: 0000000000000000
	R13: 0000000000000000 R14: 00007fdbeed36058 R15: 00007ffc38de06e8
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-50256 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.18 with commit c8d7b98bec43faaa6583c3135030be5eb4693acb and fixed in 6.1.116 with commit 4f7b586aae53c2ed820661803da8ce18b1361921
	Issue introduced in 3.18 with commit c8d7b98bec43faaa6583c3135030be5eb4693acb and fixed in 6.6.60 with commit fef63832317d9d24e1214cdd8f204d02ebdf8499
	Issue introduced in 3.18 with commit c8d7b98bec43faaa6583c3135030be5eb4693acb and fixed in 6.11.7 with commit f85b057e34419e5ec0583a65078a11ccc1d4540a
	Issue introduced in 3.18 with commit c8d7b98bec43faaa6583c3135030be5eb4693acb and fixed in 6.12 with commit 4ed234fe793f27a3b151c43d2106df2ff0d81aac

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50256
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv6/netfilter/nf_reject_ipv6.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4f7b586aae53c2ed820661803da8ce18b1361921
	https://git.kernel.org/stable/c/fef63832317d9d24e1214cdd8f204d02ebdf8499
	https://git.kernel.org/stable/c/f85b057e34419e5ec0583a65078a11ccc1d4540a
	https://git.kernel.org/stable/c/4ed234fe793f27a3b151c43d2106df2ff0d81aac