| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-52574: team: fix null-ptr-deref when team device type is changed |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| team: fix null-ptr-deref when team device type is changed |
| |
| Get a null-ptr-deref bug as follows with reproducer [1]. |
| |
| BUG: kernel NULL pointer dereference, address: 0000000000000228 |
| ... |
| RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q] |
| ... |
| Call Trace: |
| <TASK> |
| ? __die+0x24/0x70 |
| ? page_fault_oops+0x82/0x150 |
| ? exc_page_fault+0x69/0x150 |
| ? asm_exc_page_fault+0x26/0x30 |
| ? vlan_dev_hard_header+0x35/0x140 [8021q] |
| ? vlan_dev_hard_header+0x8e/0x140 [8021q] |
| neigh_connected_output+0xb2/0x100 |
| ip6_finish_output2+0x1cb/0x520 |
| ? nf_hook_slow+0x43/0xc0 |
| ? ip6_mtu+0x46/0x80 |
| ip6_finish_output+0x2a/0xb0 |
| mld_sendpack+0x18f/0x250 |
| mld_ifc_work+0x39/0x160 |
| process_one_work+0x1e6/0x3f0 |
| worker_thread+0x4d/0x2f0 |
| ? __pfx_worker_thread+0x10/0x10 |
| kthread+0xe5/0x120 |
| ? __pfx_kthread+0x10/0x10 |
| ret_from_fork+0x34/0x50 |
| ? __pfx_kthread+0x10/0x10 |
| ret_from_fork_asm+0x1b/0x30 |
| |
| [1] |
| $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}' |
| $ ip link add name t-dummy type dummy |
| $ ip link add link t-dummy name t-dummy.100 type vlan id 100 |
| $ ip link add name t-nlmon type nlmon |
| $ ip link set t-nlmon master team0 |
| $ ip link set t-nlmon nomaster |
| $ ip link set t-dummy up |
| $ ip link set team0 up |
| $ ip link set t-dummy.100 down |
| $ ip link set t-dummy.100 master team0 |
| |
| When enslave a vlan device to team device and team device type is changed |
| from non-ether to ether, header_ops of team device is changed to |
| vlan_header_ops. That is incorrect and will trigger null-ptr-deref |
| for vlan->real_dev in vlan_dev_hard_header() because team device is not |
| a vlan device. |
| |
| Cache eth_header_ops in team_setup(), then assign cached header_ops to |
| header_ops of team net device when its type is changed from non-ether |
| to ether to fix the bug. |
| |
| The Linux kernel CVE team has assigned CVE-2023-52574 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 3.7 with commit 1d76efe1577b4323609b1bcbfafa8b731eda071a and fixed in 4.14.327 with commit 1779eb51b9cc628cee551f252701a85a2a50a457 |
| Issue introduced in 3.7 with commit 1d76efe1577b4323609b1bcbfafa8b731eda071a and fixed in 4.19.296 with commit a7fb47b9711101d2405b0eb1276fb1f9b9b270c7 |
| Issue introduced in 3.7 with commit 1d76efe1577b4323609b1bcbfafa8b731eda071a and fixed in 5.4.258 with commit c5f6478686bb45f453031594ae19b6c9723a780d |
| Issue introduced in 3.7 with commit 1d76efe1577b4323609b1bcbfafa8b731eda071a and fixed in 5.10.198 with commit b44dd92e2afd89eb6e9d27616858e72a67bdc1a7 |
| Issue introduced in 3.7 with commit 1d76efe1577b4323609b1bcbfafa8b731eda071a and fixed in 5.15.134 with commit cd05eec2ee0cc396813a32ef675634e403748255 |
| Issue introduced in 3.7 with commit 1d76efe1577b4323609b1bcbfafa8b731eda071a and fixed in 6.1.56 with commit 2f0acb0736ecc3eb85dc80ad2790d634dcb10b58 |
| Issue introduced in 3.7 with commit 1d76efe1577b4323609b1bcbfafa8b731eda071a and fixed in 6.5.6 with commit cac50d9f5d876be32cb9aa21c74018468900284d |
| Issue introduced in 3.7 with commit 1d76efe1577b4323609b1bcbfafa8b731eda071a and fixed in 6.6 with commit 492032760127251e5540a5716a70996bacf2a3fd |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-52574 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/net/team/team.c |
| include/linux/if_team.h |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457 |
| https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7 |
| https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d |
| https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7 |
| https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255 |
| https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58 |
| https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d |
| https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd |
