cve/published/2022/CVE-2022-49663.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49663: tunnels: do not assume mac header is set in skb_tunnel_check_pmtu()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tunnels: do not assume mac header is set in skb_tunnel_check_pmtu()

 Recently added debug in commit f9aefd6b2aa3 ("net: warn if mac header
 was not set") caught a bug in skb_tunnel_check_pmtu(), as shown
 in this syzbot report [1].

 In ndo_start_xmit() paths, there is really no need to use skb->mac_header,
 because skb->data is supposed to point at it.

 [1] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_mac_header_len include/linux/skbuff.h:2784 [inline]
 WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413
 Modules linked in:
 CPU: 1 PID: 8604 Comm: syz-executor.3 Not tainted 5.19.0-rc2-syzkaller-00443-g8720bd951b8e #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 RIP: 0010:skb_mac_header_len include/linux/skbuff.h:2784 [inline]
 RIP: 0010:skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413
 Code: 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 84 b9 fe ff ff 4c 89 ff e8 7c 0f d7 f9 e9 ac fe ff ff e8 c2 13 8a f9 <0f> 0b e9 28 fc ff ff e8 b6 13 8a f9 48 8b 54 24 70 48 b8 00 00 00
 RSP: 0018:ffffc90002e4f520 EFLAGS: 00010212
 RAX: 0000000000000324 RBX: ffff88804d5fd500 RCX: ffffc90005b52000
 RDX: 0000000000040000 RSI: ffffffff87f05e3e RDI: 0000000000000003
 RBP: ffffc90002e4f650 R08: 0000000000000003 R09: 000000000000ffff
 R10: 000000000000ffff R11: 0000000000000000 R12: 000000000000ffff
 R13: 0000000000000000 R14: 000000000000ffcd R15: 000000000000001f
 FS: 00007f3babba9700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000020000080 CR3: 0000000075319000 CR4: 00000000003506e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
 <TASK>
 geneve_xmit_skb drivers/net/geneve.c:927 [inline]
 geneve_xmit+0xcf8/0x35d0 drivers/net/geneve.c:1107
 __netdev_start_xmit include/linux/netdevice.h:4805 [inline]
 netdev_start_xmit include/linux/netdevice.h:4819 [inline]
 __dev_direct_xmit+0x500/0x730 net/core/dev.c:4309
 dev_direct_xmit include/linux/netdevice.h:3007 [inline]
 packet_direct_xmit+0x1b8/0x2c0 net/packet/af_packet.c:282
 packet_snd net/packet/af_packet.c:3073 [inline]
 packet_sendmsg+0x21f4/0x55d0 net/packet/af_packet.c:3104
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:734
 ____sys_sendmsg+0x6eb/0x810 net/socket.c:2489
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2543
 __sys_sendmsg net/socket.c:2572 [inline]
 __do_sys_sendmsg net/socket.c:2581 [inline]
 __se_sys_sendmsg net/socket.c:2579 [inline]
 __x64_sys_sendmsg+0x132/0x220 net/socket.c:2579
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
 RIP: 0033:0x7f3baaa89109
 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
 RSP: 002b:00007f3babba9168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
 RAX: ffffffffffffffda RBX: 00007f3baab9bf60 RCX: 00007f3baaa89109
 RDX: 0000000000000000 RSI: 0000000020000a00 RDI: 0000000000000003
 RBP: 00007f3baaae305d R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
 R13: 00007ffe74f2543f R14: 00007f3babba9300 R15: 0000000000022000
 </TASK>

 The Linux kernel CVE team has assigned CVE-2022-49663 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.9 with commit 4cb47a8644cc9eb8ec81190a50e79e6530d0297f and fixed in 5.10.129 with commit 59c51c3b545128a92ebfb6dbae990d3abee110e7
 	Issue introduced in 5.9 with commit 4cb47a8644cc9eb8ec81190a50e79e6530d0297f and fixed in 5.15.53 with commit 674a641e5b67e16ba3112eacd680ff87b38539de
 	Issue introduced in 5.9 with commit 4cb47a8644cc9eb8ec81190a50e79e6530d0297f and fixed in 5.18.10 with commit 32dcf62efa0003f92a976aea0c57f118e689de8b
 	Issue introduced in 5.9 with commit 4cb47a8644cc9eb8ec81190a50e79e6530d0297f and fixed in 5.19 with commit 853a7614880231747040cada91d2b8d2e995c51a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49663
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/ip_tunnel_core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/59c51c3b545128a92ebfb6dbae990d3abee110e7
 	https://git.kernel.org/stable/c/674a641e5b67e16ba3112eacd680ff87b38539de
 	https://git.kernel.org/stable/c/32dcf62efa0003f92a976aea0c57f118e689de8b
 	https://git.kernel.org/stable/c/853a7614880231747040cada91d2b8d2e995c51a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49663: tunnels: do not assume mac header is set in skb_tunnel_check_pmtu()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tunnels: do not assume mac header is set in skb_tunnel_check_pmtu()

	Recently added debug in commit f9aefd6b2aa3 ("net: warn if mac header
	was not set") caught a bug in skb_tunnel_check_pmtu(), as shown
	in this syzbot report [1].

	In ndo_start_xmit() paths, there is really no need to use skb->mac_header,
	because skb->data is supposed to point at it.

	[1] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_mac_header_len include/linux/skbuff.h:2784 [inline]
	WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413
	Modules linked in:
	CPU: 1 PID: 8604 Comm: syz-executor.3 Not tainted 5.19.0-rc2-syzkaller-00443-g8720bd951b8e #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	RIP: 0010:skb_mac_header_len include/linux/skbuff.h:2784 [inline]
	RIP: 0010:skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413
	Code: 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 84 b9 fe ff ff 4c 89 ff e8 7c 0f d7 f9 e9 ac fe ff ff e8 c2 13 8a f9 <0f> 0b e9 28 fc ff ff e8 b6 13 8a f9 48 8b 54 24 70 48 b8 00 00 00
	RSP: 0018:ffffc90002e4f520 EFLAGS: 00010212
	RAX: 0000000000000324 RBX: ffff88804d5fd500 RCX: ffffc90005b52000
	RDX: 0000000000040000 RSI: ffffffff87f05e3e RDI: 0000000000000003
	RBP: ffffc90002e4f650 R08: 0000000000000003 R09: 000000000000ffff
	R10: 000000000000ffff R11: 0000000000000000 R12: 000000000000ffff
	R13: 0000000000000000 R14: 000000000000ffcd R15: 000000000000001f
	FS: 00007f3babba9700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000020000080 CR3: 0000000075319000 CR4: 00000000003506e0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	geneve_xmit_skb drivers/net/geneve.c:927 [inline]
	geneve_xmit+0xcf8/0x35d0 drivers/net/geneve.c:1107
	__netdev_start_xmit include/linux/netdevice.h:4805 [inline]
	netdev_start_xmit include/linux/netdevice.h:4819 [inline]
	__dev_direct_xmit+0x500/0x730 net/core/dev.c:4309
	dev_direct_xmit include/linux/netdevice.h:3007 [inline]
	packet_direct_xmit+0x1b8/0x2c0 net/packet/af_packet.c:282
	packet_snd net/packet/af_packet.c:3073 [inline]
	packet_sendmsg+0x21f4/0x55d0 net/packet/af_packet.c:3104
	sock_sendmsg_nosec net/socket.c:714 [inline]
	sock_sendmsg+0xcf/0x120 net/socket.c:734
	____sys_sendmsg+0x6eb/0x810 net/socket.c:2489
	___sys_sendmsg+0xf3/0x170 net/socket.c:2543
	__sys_sendmsg net/socket.c:2572 [inline]
	__do_sys_sendmsg net/socket.c:2581 [inline]
	__se_sys_sendmsg net/socket.c:2579 [inline]
	__x64_sys_sendmsg+0x132/0x220 net/socket.c:2579
	do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
	entry_SYSCALL_64_after_hwframe+0x46/0xb0
	RIP: 0033:0x7f3baaa89109
	Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007f3babba9168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
	RAX: ffffffffffffffda RBX: 00007f3baab9bf60 RCX: 00007f3baaa89109
	RDX: 0000000000000000 RSI: 0000000020000a00 RDI: 0000000000000003
	RBP: 00007f3baaae305d R08: 0000000000000000 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
	R13: 00007ffe74f2543f R14: 00007f3babba9300 R15: 0000000000022000
	</TASK>

	The Linux kernel CVE team has assigned CVE-2022-49663 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.9 with commit 4cb47a8644cc9eb8ec81190a50e79e6530d0297f and fixed in 5.10.129 with commit 59c51c3b545128a92ebfb6dbae990d3abee110e7
	Issue introduced in 5.9 with commit 4cb47a8644cc9eb8ec81190a50e79e6530d0297f and fixed in 5.15.53 with commit 674a641e5b67e16ba3112eacd680ff87b38539de
	Issue introduced in 5.9 with commit 4cb47a8644cc9eb8ec81190a50e79e6530d0297f and fixed in 5.18.10 with commit 32dcf62efa0003f92a976aea0c57f118e689de8b
	Issue introduced in 5.9 with commit 4cb47a8644cc9eb8ec81190a50e79e6530d0297f and fixed in 5.19 with commit 853a7614880231747040cada91d2b8d2e995c51a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49663
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/ip_tunnel_core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/59c51c3b545128a92ebfb6dbae990d3abee110e7
	https://git.kernel.org/stable/c/674a641e5b67e16ba3112eacd680ff87b38539de
	https://git.kernel.org/stable/c/32dcf62efa0003f92a976aea0c57f118e689de8b
	https://git.kernel.org/stable/c/853a7614880231747040cada91d2b8d2e995c51a