cve/published/2024/CVE-2024-26857.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26857: geneve: make sure to pull inner header in geneve_rx()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 geneve: make sure to pull inner header in geneve_rx()

 syzbot triggered a bug in geneve_rx() [1]

 Issue is similar to the one I fixed in commit 8d975c15c0cd
 ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")

 We have to save skb->network_header in a temporary variable
 in order to be able to recompute the network_header pointer
 after a pskb_inet_may_pull() call.

 pskb_inet_may_pull() makes sure the needed headers are in skb->head.

 [1]
 BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
  BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]
  BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
   IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
   geneve_rx drivers/net/geneve.c:279 [inline]
   geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
   udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108
   udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186
   udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346
   __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422
   udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604
   ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
   ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
   NF_HOOK include/linux/netfilter.h:314 [inline]
   ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
   dst_input include/net/dst.h:461 [inline]
   ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
   NF_HOOK include/linux/netfilter.h:314 [inline]
   ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
   __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
   __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
   process_backlog+0x480/0x8b0 net/core/dev.c:5976
   __napi_poll+0xe3/0x980 net/core/dev.c:6576
   napi_poll net/core/dev.c:6645 [inline]
   net_rx_action+0x8b8/0x1870 net/core/dev.c:6778
   __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553
   do_softirq+0x9a/0xf0 kernel/softirq.c:454
   __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381
   local_bh_enable include/linux/bottom_half.h:33 [inline]
   rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]
   __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378
   dev_queue_xmit include/linux/netdevice.h:3171 [inline]
   packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
   packet_snd net/packet/af_packet.c:3081 [inline]
   packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
   sock_sendmsg_nosec net/socket.c:730 [inline]
   __sock_sendmsg net/socket.c:745 [inline]
   __sys_sendto+0x735/0xa10 net/socket.c:2191
   __do_sys_sendto net/socket.c:2203 [inline]
   __se_sys_sendto net/socket.c:2199 [inline]
   __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x63/0x6b

 Uninit was created at:
   slab_post_alloc_hook mm/slub.c:3819 [inline]
   slab_alloc_node mm/slub.c:3860 [inline]
   kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
   kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
   __alloc_skb+0x352/0x790 net/core/skbuff.c:651
   alloc_skb include/linux/skbuff.h:1296 [inline]
   alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
   sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
   packet_alloc_skb net/packet/af_packet.c:2930 [inline]
   packet_snd net/packet/af_packet.c:3024 [inline]
   packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113
   sock_sendmsg_nosec net/socket.c:730 [inline]
   __sock_sendmsg net/socket.c:745 [inline]
   __sys_sendto+0x735/0xa10 net/socket.c:2191
   __do_sys_sendto net/socket.c:2203 [inline]
   __se_sys_sendto net/socket.c:2199 [inline]
   __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x63/0x6b

 The Linux kernel CVE team has assigned CVE-2024-26857 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 4.19.310 with commit e431c3227864b5646601c97f5f898d99472f2914
 	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 5.4.272 with commit 59d2a4076983303f324557a114cfd5c32e1f6b29
 	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 5.10.213 with commit c7137900691f5692fe3de54566ea7b30bb35d66c
 	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 5.15.152 with commit e77e0b0f2a11735c64b105edaee54d6344faca8a
 	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 6.1.82 with commit c0b22568a9d8384fd000cc49acb8f74bde40d1b5
 	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 6.6.22 with commit 0ece581d2a66e8e488c0d3b3e7b5760dbbfdbdd5
 	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 6.7.10 with commit 048e16dee1fc609c1c85072ccd70bfd4b5fef6ca
 	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 6.8 with commit 1ca1ba465e55b9460e4e75dec9fff31e708fec74

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26857
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/geneve.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e431c3227864b5646601c97f5f898d99472f2914
 	https://git.kernel.org/stable/c/59d2a4076983303f324557a114cfd5c32e1f6b29
 	https://git.kernel.org/stable/c/c7137900691f5692fe3de54566ea7b30bb35d66c
 	https://git.kernel.org/stable/c/e77e0b0f2a11735c64b105edaee54d6344faca8a
 	https://git.kernel.org/stable/c/c0b22568a9d8384fd000cc49acb8f74bde40d1b5
 	https://git.kernel.org/stable/c/0ece581d2a66e8e488c0d3b3e7b5760dbbfdbdd5
 	https://git.kernel.org/stable/c/048e16dee1fc609c1c85072ccd70bfd4b5fef6ca
 	https://git.kernel.org/stable/c/1ca1ba465e55b9460e4e75dec9fff31e708fec74
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26857: geneve: make sure to pull inner header in geneve_rx()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	geneve: make sure to pull inner header in geneve_rx()

	syzbot triggered a bug in geneve_rx() [1]

	Issue is similar to the one I fixed in commit 8d975c15c0cd
	("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")

	We have to save skb->network_header in a temporary variable
	in order to be able to recompute the network_header pointer
	after a pskb_inet_may_pull() call.

	pskb_inet_may_pull() makes sure the needed headers are in skb->head.

	[1]
	BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
	BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]
	BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
	IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
	geneve_rx drivers/net/geneve.c:279 [inline]
	geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
	udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108
	udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186
	udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346
	__udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422
	udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604
	ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
	ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
	NF_HOOK include/linux/netfilter.h:314 [inline]
	ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
	dst_input include/net/dst.h:461 [inline]
	ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
	NF_HOOK include/linux/netfilter.h:314 [inline]
	ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
	__netif_receive_skb_one_core net/core/dev.c:5534 [inline]
	__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
	process_backlog+0x480/0x8b0 net/core/dev.c:5976
	__napi_poll+0xe3/0x980 net/core/dev.c:6576
	napi_poll net/core/dev.c:6645 [inline]
	net_rx_action+0x8b8/0x1870 net/core/dev.c:6778
	__do_softirq+0x1b7/0x7c5 kernel/softirq.c:553
	do_softirq+0x9a/0xf0 kernel/softirq.c:454
	__local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381
	local_bh_enable include/linux/bottom_half.h:33 [inline]
	rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]
	__dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378
	dev_queue_xmit include/linux/netdevice.h:3171 [inline]
	packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
	packet_snd net/packet/af_packet.c:3081 [inline]
	packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg net/socket.c:745 [inline]
	__sys_sendto+0x735/0xa10 net/socket.c:2191
	__do_sys_sendto net/socket.c:2203 [inline]
	__se_sys_sendto net/socket.c:2199 [inline]
	__x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x63/0x6b

	Uninit was created at:
	slab_post_alloc_hook mm/slub.c:3819 [inline]
	slab_alloc_node mm/slub.c:3860 [inline]
	kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
	kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
	__alloc_skb+0x352/0x790 net/core/skbuff.c:651
	alloc_skb include/linux/skbuff.h:1296 [inline]
	alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
	sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
	packet_alloc_skb net/packet/af_packet.c:2930 [inline]
	packet_snd net/packet/af_packet.c:3024 [inline]
	packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg net/socket.c:745 [inline]
	__sys_sendto+0x735/0xa10 net/socket.c:2191
	__do_sys_sendto net/socket.c:2203 [inline]
	__se_sys_sendto net/socket.c:2199 [inline]
	__x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x63/0x6b

	The Linux kernel CVE team has assigned CVE-2024-26857 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 4.19.310 with commit e431c3227864b5646601c97f5f898d99472f2914
	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 5.4.272 with commit 59d2a4076983303f324557a114cfd5c32e1f6b29
	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 5.10.213 with commit c7137900691f5692fe3de54566ea7b30bb35d66c
	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 5.15.152 with commit e77e0b0f2a11735c64b105edaee54d6344faca8a
	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 6.1.82 with commit c0b22568a9d8384fd000cc49acb8f74bde40d1b5
	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 6.6.22 with commit 0ece581d2a66e8e488c0d3b3e7b5760dbbfdbdd5
	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 6.7.10 with commit 048e16dee1fc609c1c85072ccd70bfd4b5fef6ca
	Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 6.8 with commit 1ca1ba465e55b9460e4e75dec9fff31e708fec74

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26857
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/geneve.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e431c3227864b5646601c97f5f898d99472f2914
	https://git.kernel.org/stable/c/59d2a4076983303f324557a114cfd5c32e1f6b29
	https://git.kernel.org/stable/c/c7137900691f5692fe3de54566ea7b30bb35d66c
	https://git.kernel.org/stable/c/e77e0b0f2a11735c64b105edaee54d6344faca8a
	https://git.kernel.org/stable/c/c0b22568a9d8384fd000cc49acb8f74bde40d1b5
	https://git.kernel.org/stable/c/0ece581d2a66e8e488c0d3b3e7b5760dbbfdbdd5
	https://git.kernel.org/stable/c/048e16dee1fc609c1c85072ccd70bfd4b5fef6ca
	https://git.kernel.org/stable/c/1ca1ba465e55b9460e4e75dec9fff31e708fec74