cve/published/2023/CVE-2023-52578.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52578: net: bridge: use DEV_STATS_INC()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: bridge: use DEV_STATS_INC()

 syzbot/KCSAN reported data-races in br_handle_frame_finish() [1]
 This function can run from multiple cpus without mutual exclusion.

 Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.

 Handles updates to dev->stats.tx_dropped while we are at it.

 [1]
 BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish

 read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:
 br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
 br_nf_hook_thresh+0x1ed/0x220
 br_nf_pre_routing_finish_ipv6+0x50f/0x540
 NF_HOOK include/linux/netfilter.h:304 [inline]
 br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
 br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
 nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
 br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
 __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
 __netif_receive_skb_one_core net/core/dev.c:5521 [inline]
 __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
 process_backlog+0x21f/0x380 net/core/dev.c:5965
 __napi_poll+0x60/0x3b0 net/core/dev.c:6527
 napi_poll net/core/dev.c:6594 [inline]
 net_rx_action+0x32b/0x750 net/core/dev.c:6727
 __do_softirq+0xc1/0x265 kernel/softirq.c:553
 run_ksoftirqd+0x17/0x20 kernel/softirq.c:921
 smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
 kthread+0x1d7/0x210 kernel/kthread.c:388
 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

 read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:
 br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
 br_nf_hook_thresh+0x1ed/0x220
 br_nf_pre_routing_finish_ipv6+0x50f/0x540
 NF_HOOK include/linux/netfilter.h:304 [inline]
 br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
 br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
 nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
 br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
 __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
 __netif_receive_skb_one_core net/core/dev.c:5521 [inline]
 __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
 process_backlog+0x21f/0x380 net/core/dev.c:5965
 __napi_poll+0x60/0x3b0 net/core/dev.c:6527
 napi_poll net/core/dev.c:6594 [inline]
 net_rx_action+0x32b/0x750 net/core/dev.c:6727
 __do_softirq+0xc1/0x265 kernel/softirq.c:553
 do_softirq+0x5e/0x90 kernel/softirq.c:454
 __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
 _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356
 batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560
 process_one_work kernel/workqueue.c:2630 [inline]
 process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
 worker_thread+0x525/0x730 kernel/workqueue.c:2784
 kthread+0x1d7/0x210 kernel/kthread.c:388
 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

 value changed: 0x00000000000d7190 -> 0x00000000000d7191

 Reported by Kernel Concurrency Sanitizer on:
 CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0

 The Linux kernel CVE team has assigned CVE-2023-52578 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 4.19.296 with commit d2346e6beb699909ca455d9d20c4e577ce900839
 	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 5.4.258 with commit ad8d39c7b437fcdab7208a6a56c093d222c008d5
 	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 5.10.198 with commit 04cc361f029c14dd067ad180525c7392334c9bfd
 	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 5.15.134 with commit 8bc97117b51d68d5cea8f5351cca2d8c4153f394
 	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 6.1.56 with commit 89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2
 	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 6.5.6 with commit f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa
 	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 6.6 with commit 44bdb313da57322c9b3c108eb66981c6ec6509f4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52578
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bridge/br_forward.c
 	net/bridge/br_input.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d2346e6beb699909ca455d9d20c4e577ce900839
 	https://git.kernel.org/stable/c/ad8d39c7b437fcdab7208a6a56c093d222c008d5
 	https://git.kernel.org/stable/c/04cc361f029c14dd067ad180525c7392334c9bfd
 	https://git.kernel.org/stable/c/8bc97117b51d68d5cea8f5351cca2d8c4153f394
 	https://git.kernel.org/stable/c/89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2
 	https://git.kernel.org/stable/c/f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa
 	https://git.kernel.org/stable/c/44bdb313da57322c9b3c108eb66981c6ec6509f4
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52578: net: bridge: use DEV_STATS_INC()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: bridge: use DEV_STATS_INC()

	syzbot/KCSAN reported data-races in br_handle_frame_finish() [1]
	This function can run from multiple cpus without mutual exclusion.

	Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.

	Handles updates to dev->stats.tx_dropped while we are at it.

	[1]
	BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish

	read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:
	br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
	br_nf_hook_thresh+0x1ed/0x220
	br_nf_pre_routing_finish_ipv6+0x50f/0x540
	NF_HOOK include/linux/netfilter.h:304 [inline]
	br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
	br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
	nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
	nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
	br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
	__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
	__netif_receive_skb_one_core net/core/dev.c:5521 [inline]
	__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
	process_backlog+0x21f/0x380 net/core/dev.c:5965
	__napi_poll+0x60/0x3b0 net/core/dev.c:6527
	napi_poll net/core/dev.c:6594 [inline]
	net_rx_action+0x32b/0x750 net/core/dev.c:6727
	__do_softirq+0xc1/0x265 kernel/softirq.c:553
	run_ksoftirqd+0x17/0x20 kernel/softirq.c:921
	smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
	kthread+0x1d7/0x210 kernel/kthread.c:388
	ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
	ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

	read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:
	br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
	br_nf_hook_thresh+0x1ed/0x220
	br_nf_pre_routing_finish_ipv6+0x50f/0x540
	NF_HOOK include/linux/netfilter.h:304 [inline]
	br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
	br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
	nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
	nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
	br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
	__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
	__netif_receive_skb_one_core net/core/dev.c:5521 [inline]
	__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
	process_backlog+0x21f/0x380 net/core/dev.c:5965
	__napi_poll+0x60/0x3b0 net/core/dev.c:6527
	napi_poll net/core/dev.c:6594 [inline]
	net_rx_action+0x32b/0x750 net/core/dev.c:6727
	__do_softirq+0xc1/0x265 kernel/softirq.c:553
	do_softirq+0x5e/0x90 kernel/softirq.c:454
	__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
	__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
	_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
	spin_unlock_bh include/linux/spinlock.h:396 [inline]
	batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356
	batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560
	process_one_work kernel/workqueue.c:2630 [inline]
	process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
	worker_thread+0x525/0x730 kernel/workqueue.c:2784
	kthread+0x1d7/0x210 kernel/kthread.c:388
	ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
	ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

	value changed: 0x00000000000d7190 -> 0x00000000000d7191

	Reported by Kernel Concurrency Sanitizer on:
	CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0

	The Linux kernel CVE team has assigned CVE-2023-52578 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 4.19.296 with commit d2346e6beb699909ca455d9d20c4e577ce900839
	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 5.4.258 with commit ad8d39c7b437fcdab7208a6a56c093d222c008d5
	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 5.10.198 with commit 04cc361f029c14dd067ad180525c7392334c9bfd
	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 5.15.134 with commit 8bc97117b51d68d5cea8f5351cca2d8c4153f394
	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 6.1.56 with commit 89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2
	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 6.5.6 with commit f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa
	Issue introduced in 2.6.17 with commit 1c29fc4989bc2a3838b2837adc12b8aeb0feeede and fixed in 6.6 with commit 44bdb313da57322c9b3c108eb66981c6ec6509f4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52578
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bridge/br_forward.c
	net/bridge/br_input.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d2346e6beb699909ca455d9d20c4e577ce900839
	https://git.kernel.org/stable/c/ad8d39c7b437fcdab7208a6a56c093d222c008d5
	https://git.kernel.org/stable/c/04cc361f029c14dd067ad180525c7392334c9bfd
	https://git.kernel.org/stable/c/8bc97117b51d68d5cea8f5351cca2d8c4153f394
	https://git.kernel.org/stable/c/89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2
	https://git.kernel.org/stable/c/f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa
	https://git.kernel.org/stable/c/44bdb313da57322c9b3c108eb66981c6ec6509f4