Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2024 / CVE-2024-26862.mbox
blob: be8c0535be16ac351797aba835970451fe41df81 [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-26862: packet: annotate data-races around ignore_outgoing
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
packet: annotate data-races around ignore_outgoing
ignore_outgoing is read locklessly from dev_queue_xmit_nit()
and packet_getsockopt()
Add appropriate READ_ONCE()/WRITE_ONCE() annotations.
syzbot reported:
BUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt
write to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0:
packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003
do_sock_setsockopt net/socket.c:2311 [inline]
__sys_setsockopt+0x1d8/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0x66/0x80 net/socket.c:2340
do_syscall_64+0xd3/0x1d0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
read to 0xffff888107804542 of 1 bytes by task 27 on cpu 1:
dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248
xmit_one net/core/dev.c:3527 [inline]
dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547
__dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335
dev_queue_xmit include/linux/netdevice.h:3091 [inline]
batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108
batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127
batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline]
batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]
batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700
process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335
worker_thread+0x526/0x730 kernel/workqueue.c:3416
kthread+0x1d1/0x210 kernel/kthread.c:388
ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
value changed: 0x00 -> 0x01
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G W 6.8.0-syzkaller-08073-g480e035fc4c7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
The Linux kernel CVE team has assigned CVE-2024-26862 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.20 with commit fa788d986a3aac5069378ed04697bd06f83d3488 and fixed in 5.4.273 with commit 84c510411e321caff3c07e6cd0f917f06633cfc0
Issue introduced in 4.20 with commit fa788d986a3aac5069378ed04697bd06f83d3488 and fixed in 5.10.214 with commit 68e84120319d4fc298fcdb14cf0bea6a0f64ffbd
Issue introduced in 4.20 with commit fa788d986a3aac5069378ed04697bd06f83d3488 and fixed in 5.15.153 with commit d35b62c224e70797f8a1c37fe9bc4b3e294b7560
Issue introduced in 4.20 with commit fa788d986a3aac5069378ed04697bd06f83d3488 and fixed in 6.1.83 with commit ef7eed7e11d23337310ecc2c014ecaeea52719c5
Issue introduced in 4.20 with commit fa788d986a3aac5069378ed04697bd06f83d3488 and fixed in 6.6.23 with commit 2c02c5059c78a52d170bdee4a369b470de6deb37
Issue introduced in 4.20 with commit fa788d986a3aac5069378ed04697bd06f83d3488 and fixed in 6.7.11 with commit ee413f30ec4fe94a0bdf32c8f042cb06fa913234
Issue introduced in 4.20 with commit fa788d986a3aac5069378ed04697bd06f83d3488 and fixed in 6.8.2 with commit 8b1e273c6afcf00d3c40a54ada7d6aac1b503b97
Issue introduced in 4.20 with commit fa788d986a3aac5069378ed04697bd06f83d3488 and fixed in 6.9 with commit 6ebfad33161afacb3e1e59ed1c2feefef70f9f97
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-26862
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/core/dev.c
net/packet/af_packet.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/84c510411e321caff3c07e6cd0f917f06633cfc0
https://git.kernel.org/stable/c/68e84120319d4fc298fcdb14cf0bea6a0f64ffbd
https://git.kernel.org/stable/c/d35b62c224e70797f8a1c37fe9bc4b3e294b7560
https://git.kernel.org/stable/c/ef7eed7e11d23337310ecc2c014ecaeea52719c5
https://git.kernel.org/stable/c/2c02c5059c78a52d170bdee4a369b470de6deb37
https://git.kernel.org/stable/c/ee413f30ec4fe94a0bdf32c8f042cb06fa913234
https://git.kernel.org/stable/c/8b1e273c6afcf00d3c40a54ada7d6aac1b503b97
https://git.kernel.org/stable/c/6ebfad33161afacb3e1e59ed1c2feefef70f9f97