cve/published/2023/CVE-2023-52977.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52977: net: openvswitch: fix flow memory leak in ovs_flow_cmd_new

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: openvswitch: fix flow memory leak in ovs_flow_cmd_new

 Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is
 not freed when an allocation of a key fails.

 BUG: memory leak
 unreferenced object 0xffff888116668000 (size 632):
   comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s)
   hex dump (first 32 bytes):
     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   backtrace:
     [<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline]
     [<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77
     [<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957
     [<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739
     [<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
     [<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800
     [<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515
     [<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
     [<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
     [<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339
     [<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934
     [<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline]
     [<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671
     [<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356
     [<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410
     [<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
     [<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
     [<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6

 To fix this the patch rearranges the goto labels to reflect the order of
 object allocations and adds appropriate goto statements on the error
 paths.

 Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

 The Linux kernel CVE team has assigned CVE-2023-52977 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.14.303 with commit 655e873bf528f0f46ce6b069f9a2daee9621197c and fixed in 4.14.306 with commit 1ac653cf886cdfc082708c82dc6ac6115cebd2ee
 	Issue introduced in 4.19.270 with commit ee27d70556a47c3a07e65a60f47e3ea12a255af8 and fixed in 4.19.273 with commit af4e720bc00a2653f7b9df21755b9978b3d7f386
 	Issue introduced in 5.4.229 with commit 8b74211bf60b3e0c0ed4fe3d16c92ffdcaaf34eb and fixed in 5.4.232 with commit ed6c5e8caf55778500202775167e8ccdb1a030cb
 	Issue introduced in 5.10.163 with commit 6736b61ecf230dd656464de0f514bdeadb384f20 and fixed in 5.10.168 with commit 70154489f531587996f3e9d7cceeee65cff0001d
 	Issue introduced in 5.15.86 with commit 0133615a06007684df648feb9d327714e399afd4 and fixed in 5.15.93 with commit f423c2efd51d7eb1d143c2be7eea233241d9bbbf
 	Issue introduced in 6.1.2 with commit 32d5fa5bdccec2361fc6c4ed05a7367155b3a1e9 and fixed in 6.1.11 with commit 70d40674a549d498bd63d5432acf46205da1534b
 	Issue introduced in 4.9.337 with commit 4f592e712ea2132f511d545954867d7880df5be2
 	Issue introduced in 6.0.16 with commit a991a411c3e21ef22507400dbb179ae02029d42c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52977
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/openvswitch/datapath.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1ac653cf886cdfc082708c82dc6ac6115cebd2ee
 	https://git.kernel.org/stable/c/af4e720bc00a2653f7b9df21755b9978b3d7f386
 	https://git.kernel.org/stable/c/ed6c5e8caf55778500202775167e8ccdb1a030cb
 	https://git.kernel.org/stable/c/70154489f531587996f3e9d7cceeee65cff0001d
 	https://git.kernel.org/stable/c/f423c2efd51d7eb1d143c2be7eea233241d9bbbf
 	https://git.kernel.org/stable/c/70d40674a549d498bd63d5432acf46205da1534b
 	https://git.kernel.org/stable/c/0c598aed445eb45b0ee7ba405f7ece99ee349c30
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52977: net: openvswitch: fix flow memory leak in ovs_flow_cmd_new

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: openvswitch: fix flow memory leak in ovs_flow_cmd_new

	Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is
	not freed when an allocation of a key fails.

	BUG: memory leak
	unreferenced object 0xffff888116668000 (size 632):
	comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s)
	hex dump (first 32 bytes):
	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	backtrace:
	[<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline]
	[<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77
	[<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957
	[<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739
	[<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
	[<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800
	[<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515
	[<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
	[<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
	[<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339
	[<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934
	[<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline]
	[<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671
	[<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356
	[<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410
	[<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
	[<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
	[<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6

	To fix this the patch rearranges the goto labels to reflect the order of
	object allocations and adds appropriate goto statements on the error
	paths.

	Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

	The Linux kernel CVE team has assigned CVE-2023-52977 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.14.303 with commit 655e873bf528f0f46ce6b069f9a2daee9621197c and fixed in 4.14.306 with commit 1ac653cf886cdfc082708c82dc6ac6115cebd2ee
	Issue introduced in 4.19.270 with commit ee27d70556a47c3a07e65a60f47e3ea12a255af8 and fixed in 4.19.273 with commit af4e720bc00a2653f7b9df21755b9978b3d7f386
	Issue introduced in 5.4.229 with commit 8b74211bf60b3e0c0ed4fe3d16c92ffdcaaf34eb and fixed in 5.4.232 with commit ed6c5e8caf55778500202775167e8ccdb1a030cb
	Issue introduced in 5.10.163 with commit 6736b61ecf230dd656464de0f514bdeadb384f20 and fixed in 5.10.168 with commit 70154489f531587996f3e9d7cceeee65cff0001d
	Issue introduced in 5.15.86 with commit 0133615a06007684df648feb9d327714e399afd4 and fixed in 5.15.93 with commit f423c2efd51d7eb1d143c2be7eea233241d9bbbf
	Issue introduced in 6.1.2 with commit 32d5fa5bdccec2361fc6c4ed05a7367155b3a1e9 and fixed in 6.1.11 with commit 70d40674a549d498bd63d5432acf46205da1534b
	Issue introduced in 4.9.337 with commit 4f592e712ea2132f511d545954867d7880df5be2
	Issue introduced in 6.0.16 with commit a991a411c3e21ef22507400dbb179ae02029d42c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52977
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/openvswitch/datapath.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1ac653cf886cdfc082708c82dc6ac6115cebd2ee
	https://git.kernel.org/stable/c/af4e720bc00a2653f7b9df21755b9978b3d7f386
	https://git.kernel.org/stable/c/ed6c5e8caf55778500202775167e8ccdb1a030cb
	https://git.kernel.org/stable/c/70154489f531587996f3e9d7cceeee65cff0001d
	https://git.kernel.org/stable/c/f423c2efd51d7eb1d143c2be7eea233241d9bbbf
	https://git.kernel.org/stable/c/70d40674a549d498bd63d5432acf46205da1534b
	https://git.kernel.org/stable/c/0c598aed445eb45b0ee7ba405f7ece99ee349c30