cve/published/2024/CVE-2024-56648.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56648: net: hsr: avoid potential out-of-bound access in fill_frame_info()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: hsr: avoid potential out-of-bound access in fill_frame_info()

 syzbot is able to feed a packet with 14 bytes, pretending
 it is a vlan one.

 Since fill_frame_info() is relying on skb->mac_len already,
 extend the check to cover this case.

 BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:709 [inline]
  BUG: KMSAN: uninit-value in hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724
   fill_frame_info net/hsr/hsr_forward.c:709 [inline]
   hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724
   hsr_dev_xmit+0x2f0/0x350 net/hsr/hsr_device.c:235
   __netdev_start_xmit include/linux/netdevice.h:5002 [inline]
   netdev_start_xmit include/linux/netdevice.h:5011 [inline]
   xmit_one net/core/dev.c:3590 [inline]
   dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3606
   __dev_queue_xmit+0x366a/0x57d0 net/core/dev.c:4434
   dev_queue_xmit include/linux/netdevice.h:3168 [inline]
   packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
   packet_snd net/packet/af_packet.c:3146 [inline]
   packet_sendmsg+0x91ae/0xa6f0 net/packet/af_packet.c:3178
   sock_sendmsg_nosec net/socket.c:711 [inline]
   __sock_sendmsg+0x30f/0x380 net/socket.c:726
   __sys_sendto+0x594/0x750 net/socket.c:2197
   __do_sys_sendto net/socket.c:2204 [inline]
   __se_sys_sendto net/socket.c:2200 [inline]
   __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200
   x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 Uninit was created at:
   slab_post_alloc_hook mm/slub.c:4091 [inline]
   slab_alloc_node mm/slub.c:4134 [inline]
   kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186
   kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
   __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
   alloc_skb include/linux/skbuff.h:1323 [inline]
   alloc_skb_with_frags+0xc8/0xd00 net/core/skbuff.c:6612
   sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2881
   packet_alloc_skb net/packet/af_packet.c:2995 [inline]
   packet_snd net/packet/af_packet.c:3089 [inline]
   packet_sendmsg+0x74c6/0xa6f0 net/packet/af_packet.c:3178
   sock_sendmsg_nosec net/socket.c:711 [inline]
   __sock_sendmsg+0x30f/0x380 net/socket.c:726
   __sys_sendto+0x594/0x750 net/socket.c:2197
   __do_sys_sendto net/socket.c:2204 [inline]
   __se_sys_sendto net/socket.c:2200 [inline]
   __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200
   x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 The Linux kernel CVE team has assigned CVE-2024-56648 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.42 with commit f6442ee08fe66c8e45c4f246531a2aaf4f17a7a7 and fixed in 5.10.231 with commit aa632691c722a123e47ccd05a3afdd5f87a36061
 	Issue introduced in 5.13 with commit 48b491a5cc74333c4a6a82fe21cea42c055a3b0b and fixed in 5.15.174 with commit c6e778901d0055356c4fb223058364cae731494a
 	Issue introduced in 5.13 with commit 48b491a5cc74333c4a6a82fe21cea42c055a3b0b and fixed in 6.1.120 with commit 6bb5c8ebc99f0671dbd3c9408ebaf935c3951186
 	Issue introduced in 5.13 with commit 48b491a5cc74333c4a6a82fe21cea42c055a3b0b and fixed in 6.6.66 with commit 3c215663b3e27a3b08cefcaea623ff54c70c8035
 	Issue introduced in 5.13 with commit 48b491a5cc74333c4a6a82fe21cea42c055a3b0b and fixed in 6.12.5 with commit 7ea527fbd7b94d0bee64a0a7e98279bcc654b322
 	Issue introduced in 5.13 with commit 48b491a5cc74333c4a6a82fe21cea42c055a3b0b and fixed in 6.13 with commit b9653d19e556c6afd035602927a93d100a0d7644
 	Issue introduced in 5.12.9 with commit 4ffd1d4a6b306ff69cbe412d2c54d2dd349ff436

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56648
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/hsr/hsr_forward.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/aa632691c722a123e47ccd05a3afdd5f87a36061
 	https://git.kernel.org/stable/c/c6e778901d0055356c4fb223058364cae731494a
 	https://git.kernel.org/stable/c/6bb5c8ebc99f0671dbd3c9408ebaf935c3951186
 	https://git.kernel.org/stable/c/3c215663b3e27a3b08cefcaea623ff54c70c8035
 	https://git.kernel.org/stable/c/7ea527fbd7b94d0bee64a0a7e98279bcc654b322
 	https://git.kernel.org/stable/c/b9653d19e556c6afd035602927a93d100a0d7644
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56648: net: hsr: avoid potential out-of-bound access in fill_frame_info()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: hsr: avoid potential out-of-bound access in fill_frame_info()

	syzbot is able to feed a packet with 14 bytes, pretending
	it is a vlan one.

	Since fill_frame_info() is relying on skb->mac_len already,
	extend the check to cover this case.

	BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:709 [inline]
	BUG: KMSAN: uninit-value in hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724
	fill_frame_info net/hsr/hsr_forward.c:709 [inline]
	hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724
	hsr_dev_xmit+0x2f0/0x350 net/hsr/hsr_device.c:235
	__netdev_start_xmit include/linux/netdevice.h:5002 [inline]
	netdev_start_xmit include/linux/netdevice.h:5011 [inline]
	xmit_one net/core/dev.c:3590 [inline]
	dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3606
	__dev_queue_xmit+0x366a/0x57d0 net/core/dev.c:4434
	dev_queue_xmit include/linux/netdevice.h:3168 [inline]
	packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
	packet_snd net/packet/af_packet.c:3146 [inline]
	packet_sendmsg+0x91ae/0xa6f0 net/packet/af_packet.c:3178
	sock_sendmsg_nosec net/socket.c:711 [inline]
	__sock_sendmsg+0x30f/0x380 net/socket.c:726
	__sys_sendto+0x594/0x750 net/socket.c:2197
	__do_sys_sendto net/socket.c:2204 [inline]
	__se_sys_sendto net/socket.c:2200 [inline]
	__x64_sys_sendto+0x125/0x1d0 net/socket.c:2200
	x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Uninit was created at:
	slab_post_alloc_hook mm/slub.c:4091 [inline]
	slab_alloc_node mm/slub.c:4134 [inline]
	kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186
	kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
	__alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
	alloc_skb include/linux/skbuff.h:1323 [inline]
	alloc_skb_with_frags+0xc8/0xd00 net/core/skbuff.c:6612
	sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2881
	packet_alloc_skb net/packet/af_packet.c:2995 [inline]
	packet_snd net/packet/af_packet.c:3089 [inline]
	packet_sendmsg+0x74c6/0xa6f0 net/packet/af_packet.c:3178
	sock_sendmsg_nosec net/socket.c:711 [inline]
	__sock_sendmsg+0x30f/0x380 net/socket.c:726
	__sys_sendto+0x594/0x750 net/socket.c:2197
	__do_sys_sendto net/socket.c:2204 [inline]
	__se_sys_sendto net/socket.c:2200 [inline]
	__x64_sys_sendto+0x125/0x1d0 net/socket.c:2200
	x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	The Linux kernel CVE team has assigned CVE-2024-56648 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.42 with commit f6442ee08fe66c8e45c4f246531a2aaf4f17a7a7 and fixed in 5.10.231 with commit aa632691c722a123e47ccd05a3afdd5f87a36061
	Issue introduced in 5.13 with commit 48b491a5cc74333c4a6a82fe21cea42c055a3b0b and fixed in 5.15.174 with commit c6e778901d0055356c4fb223058364cae731494a
	Issue introduced in 5.13 with commit 48b491a5cc74333c4a6a82fe21cea42c055a3b0b and fixed in 6.1.120 with commit 6bb5c8ebc99f0671dbd3c9408ebaf935c3951186
	Issue introduced in 5.13 with commit 48b491a5cc74333c4a6a82fe21cea42c055a3b0b and fixed in 6.6.66 with commit 3c215663b3e27a3b08cefcaea623ff54c70c8035
	Issue introduced in 5.13 with commit 48b491a5cc74333c4a6a82fe21cea42c055a3b0b and fixed in 6.12.5 with commit 7ea527fbd7b94d0bee64a0a7e98279bcc654b322
	Issue introduced in 5.13 with commit 48b491a5cc74333c4a6a82fe21cea42c055a3b0b and fixed in 6.13 with commit b9653d19e556c6afd035602927a93d100a0d7644
	Issue introduced in 5.12.9 with commit 4ffd1d4a6b306ff69cbe412d2c54d2dd349ff436

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56648
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/hsr/hsr_forward.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/aa632691c722a123e47ccd05a3afdd5f87a36061
	https://git.kernel.org/stable/c/c6e778901d0055356c4fb223058364cae731494a
	https://git.kernel.org/stable/c/6bb5c8ebc99f0671dbd3c9408ebaf935c3951186
	https://git.kernel.org/stable/c/3c215663b3e27a3b08cefcaea623ff54c70c8035
	https://git.kernel.org/stable/c/7ea527fbd7b94d0bee64a0a7e98279bcc654b322
	https://git.kernel.org/stable/c/b9653d19e556c6afd035602927a93d100a0d7644