Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / rejected / 2024 / CVE-2024-35941.mbox
blob: 1fde85ec2962524bd2e69148082a307ed732f2f4 [file] [log] [blame]
From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-35941: net: skbuff: add overflow debug check to pull/push helpers
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: add overflow debug check to pull/push helpers
syzbot managed to trigger following splat:
BUG: KASAN: use-after-free in __skb_flow_dissect+0x4a3b/0x5e50
Read of size 1 at addr ffff888208a4000e by task a.out/2313
[..]
__skb_flow_dissect+0x4a3b/0x5e50
__skb_get_hash+0xb4/0x400
ip_tunnel_xmit+0x77e/0x26f0
ipip_tunnel_xmit+0x298/0x410
..
Analysis shows that the skb has a valid ->head, but bogus ->data
pointer.
skb->data gets its bogus value via the neigh layer, which does:
1556 __skb_pull(skb, skb_network_offset(skb));
... and the skb was already dodgy at this point:
skb_network_offset(skb) returns a negative value due to an
earlier overflow of skb->network_header (u16). __skb_pull thus
"adjusts" skb->data by a huge offset, pointing outside skb->head
area.
Allow debug builds to splat when we try to pull/push more than
INT_MAX bytes.
After this, the syzkaller reproducer yields a more precise splat
before the flow dissector attempts to read off skb->data memory:
WARNING: CPU: 5 PID: 2313 at include/linux/skbuff.h:2653 neigh_connected_output+0x28e/0x400
ip_finish_output2+0xb25/0xed0
iptunnel_xmit+0x4ff/0x870
ipgre_xmit+0x78e/0xbb0
The Linux kernel CVE team has assigned CVE-2024-35941 to this issue.
Affected and fixed versions
===========================
Fixed in 6.1.86 with commit 8af60bb2b215
Fixed in 6.6.27 with commit 1b2b26595bb0
Fixed in 6.8.6 with commit fff05b2b004d
Fixed in 6.9 with commit 219eee9c0d16
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-35941
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
include/linux/skbuff.h
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/8af60bb2b215f478b886f1d6d302fefa7f0b917d
https://git.kernel.org/stable/c/1b2b26595bb09febf14c5444c873ac4ec90a5a77
https://git.kernel.org/stable/c/fff05b2b004d9a8a2416d08647f3dc9068e357c8
https://git.kernel.org/stable/c/219eee9c0d16f1b754a8b85275854ab17df0850a