cve/published/2024/CVE-2024-56372.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56372: net: tun: fix tun_napi_alloc_frags()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: tun: fix tun_napi_alloc_frags()

 syzbot reported the following crash [1]

 Issue came with the blamed commit. Instead of going through
 all the iov components, we keep using the first one
 and end up with a malformed skb.

 [1]

 kernel BUG at net/core/skbuff.c:2849 !
 Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
 CPU: 0 UID: 0 PID: 6230 Comm: syz-executor132 Not tainted 6.13.0-rc1-syzkaller-00407-g96b6fcc0ee41 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
  RIP: 0010:__pskb_pull_tail+0x1568/0x1570 net/core/skbuff.c:2848
 Code: 38 c1 0f 8c 32 f1 ff ff 4c 89 f7 e8 92 96 74 f8 e9 25 f1 ff ff e8 e8 ae 09 f8 48 8b 5c 24 08 e9 eb fb ff ff e8 d9 ae 09 f8 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90
 RSP: 0018:ffffc90004cbef30 EFLAGS: 00010293
 RAX: ffffffff8995c347 RBX: 00000000fffffff2 RCX: ffff88802cf45a00
 RDX: 0000000000000000 RSI: 00000000fffffff2 RDI: 0000000000000000
 RBP: ffff88807df0c06a R08: ffffffff8995b084 R09: 1ffff1100fbe185c
 R10: dffffc0000000000 R11: ffffed100fbe185d R12: ffff888076e85d50
 R13: ffff888076e85c80 R14: ffff888076e85cf4 R15: ffff888076e85c80
 FS:  00007f0dca6ea6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f0dca6ead58 CR3: 00000000119da000 CR4: 00000000003526f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <TASK>
   skb_cow_data+0x2da/0xcb0 net/core/skbuff.c:5284
   tipc_aead_decrypt net/tipc/crypto.c:894 [inline]
   tipc_crypto_rcv+0x402/0x24e0 net/tipc/crypto.c:1844
   tipc_rcv+0x57e/0x12a0 net/tipc/node.c:2109
   tipc_l2_rcv_msg+0x2bd/0x450 net/tipc/bearer.c:668
   __netif_receive_skb_list_ptype net/core/dev.c:5720 [inline]
   __netif_receive_skb_list_core+0x8b7/0x980 net/core/dev.c:5762
   __netif_receive_skb_list net/core/dev.c:5814 [inline]
   netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5905
   gro_normal_list include/net/gro.h:515 [inline]
   napi_complete_done+0x2b5/0x870 net/core/dev.c:6256
   napi_complete include/linux/netdevice.h:567 [inline]
   tun_get_user+0x2ea0/0x4890 drivers/net/tun.c:1982
   tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2057
  do_iter_readv_writev+0x600/0x880
   vfs_writev+0x376/0xba0 fs/read_write.c:1050
   do_writev+0x1b6/0x360 fs/read_write.c:1096
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 The Linux kernel CVE team has assigned CVE-2024-56372 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit de4f5fed3f231a8ff4790bf52975f847b95b85ea and fixed in 6.6.68 with commit efe74dd58a72bd987b158142c904b7ef2ad132e2
 	Issue introduced in 6.4 with commit de4f5fed3f231a8ff4790bf52975f847b95b85ea and fixed in 6.12.7 with commit 4f393ea1e2f9c3b646d00572dd92c48b1869c65f
 	Issue introduced in 6.4 with commit de4f5fed3f231a8ff4790bf52975f847b95b85ea and fixed in 6.13 with commit 429fde2d81bcef0ebab002215358955704586457

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56372
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/tun.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/efe74dd58a72bd987b158142c904b7ef2ad132e2
 	https://git.kernel.org/stable/c/4f393ea1e2f9c3b646d00572dd92c48b1869c65f
 	https://git.kernel.org/stable/c/429fde2d81bcef0ebab002215358955704586457
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56372: net: tun: fix tun_napi_alloc_frags()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: tun: fix tun_napi_alloc_frags()

	syzbot reported the following crash [1]

	Issue came with the blamed commit. Instead of going through
	all the iov components, we keep using the first one
	and end up with a malformed skb.

	[1]

	kernel BUG at net/core/skbuff.c:2849 !
	Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
	CPU: 0 UID: 0 PID: 6230 Comm: syz-executor132 Not tainted 6.13.0-rc1-syzkaller-00407-g96b6fcc0ee41 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
	RIP: 0010:__pskb_pull_tail+0x1568/0x1570 net/core/skbuff.c:2848
	Code: 38 c1 0f 8c 32 f1 ff ff 4c 89 f7 e8 92 96 74 f8 e9 25 f1 ff ff e8 e8 ae 09 f8 48 8b 5c 24 08 e9 eb fb ff ff e8 d9 ae 09 f8 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90
	RSP: 0018:ffffc90004cbef30 EFLAGS: 00010293
	RAX: ffffffff8995c347 RBX: 00000000fffffff2 RCX: ffff88802cf45a00
	RDX: 0000000000000000 RSI: 00000000fffffff2 RDI: 0000000000000000
	RBP: ffff88807df0c06a R08: ffffffff8995b084 R09: 1ffff1100fbe185c
	R10: dffffc0000000000 R11: ffffed100fbe185d R12: ffff888076e85d50
	R13: ffff888076e85c80 R14: ffff888076e85cf4 R15: ffff888076e85c80
	FS: 00007f0dca6ea6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f0dca6ead58 CR3: 00000000119da000 CR4: 00000000003526f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	skb_cow_data+0x2da/0xcb0 net/core/skbuff.c:5284
	tipc_aead_decrypt net/tipc/crypto.c:894 [inline]
	tipc_crypto_rcv+0x402/0x24e0 net/tipc/crypto.c:1844
	tipc_rcv+0x57e/0x12a0 net/tipc/node.c:2109
	tipc_l2_rcv_msg+0x2bd/0x450 net/tipc/bearer.c:668
	__netif_receive_skb_list_ptype net/core/dev.c:5720 [inline]
	__netif_receive_skb_list_core+0x8b7/0x980 net/core/dev.c:5762
	__netif_receive_skb_list net/core/dev.c:5814 [inline]
	netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5905
	gro_normal_list include/net/gro.h:515 [inline]
	napi_complete_done+0x2b5/0x870 net/core/dev.c:6256
	napi_complete include/linux/netdevice.h:567 [inline]
	tun_get_user+0x2ea0/0x4890 drivers/net/tun.c:1982
	tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2057
	do_iter_readv_writev+0x600/0x880
	vfs_writev+0x376/0xba0 fs/read_write.c:1050
	do_writev+0x1b6/0x360 fs/read_write.c:1096
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	The Linux kernel CVE team has assigned CVE-2024-56372 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit de4f5fed3f231a8ff4790bf52975f847b95b85ea and fixed in 6.6.68 with commit efe74dd58a72bd987b158142c904b7ef2ad132e2
	Issue introduced in 6.4 with commit de4f5fed3f231a8ff4790bf52975f847b95b85ea and fixed in 6.12.7 with commit 4f393ea1e2f9c3b646d00572dd92c48b1869c65f
	Issue introduced in 6.4 with commit de4f5fed3f231a8ff4790bf52975f847b95b85ea and fixed in 6.13 with commit 429fde2d81bcef0ebab002215358955704586457

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56372
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/tun.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/efe74dd58a72bd987b158142c904b7ef2ad132e2
	https://git.kernel.org/stable/c/4f393ea1e2f9c3b646d00572dd92c48b1869c65f
	https://git.kernel.org/stable/c/429fde2d81bcef0ebab002215358955704586457