| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-26921: inet: inet_defrag: prevent sk release while still in use |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| inet: inet_defrag: prevent sk release while still in use |
| |
| ip_local_out() and other functions can pass skb->sk as function argument. |
| |
| If the skb is a fragment and reassembly happens before such function call |
| returns, the sk must not be released. |
| |
| This affects skb fragments reassembled via netfilter or similar |
| modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. |
| |
| Eric Dumazet made an initial analysis of this bug. Quoting Eric: |
| Calling ip_defrag() in output path is also implying skb_orphan(), |
| which is buggy because output path relies on sk not disappearing. |
| |
| A relevant old patch about the issue was : |
| 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") |
| |
| [..] |
| |
| net/ipv4/ip_output.c depends on skb->sk being set, and probably to an |
| inet socket, not an arbitrary one. |
| |
| If we orphan the packet in ipvlan, then downstream things like FQ |
| packet scheduler will not work properly. |
| |
| We need to change ip_defrag() to only use skb_orphan() when really |
| needed, ie whenever frag_list is going to be used. |
| |
| Eric suggested to stash sk in fragment queue and made an initial patch. |
| However there is a problem with this: |
| |
| If skb is refragmented again right after, ip_do_fragment() will copy |
| head->sk to the new fragments, and sets up destructor to sock_wfree. |
| IOW, we have no choice but to fix up sk_wmem accouting to reflect the |
| fully reassembled skb, else wmem will underflow. |
| |
| This change moves the orphan down into the core, to last possible moment. |
| As ip_defrag_offset is aliased with sk_buff->sk member, we must move the |
| offset into the FRAG_CB, else skb->sk gets clobbered. |
| |
| This allows to delay the orphaning long enough to learn if the skb has |
| to be queued or if the skb is completing the reasm queue. |
| |
| In the former case, things work as before, skb is orphaned. This is |
| safe because skb gets queued/stolen and won't continue past reasm engine. |
| |
| In the latter case, we will steal the skb->sk reference, reattach it to |
| the head skb, and fix up wmem accouting when inet_frag inflates truesize. |
| |
| The Linux kernel CVE team has assigned CVE-2024-26921 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 4.1 with commit 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab and fixed in 5.4.285 with commit 1b6de5e6575b56502665c65cf93b0ae6aa0f51ab |
| Issue introduced in 4.1 with commit 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab and fixed in 5.10.227 with commit 9705f447bf9a6cd088300ad2c407b5e1c6591091 |
| Issue introduced in 4.1 with commit 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab and fixed in 5.15.168 with commit 4318608dc28ef184158b4045896740716bea23f0 |
| Issue introduced in 4.1 with commit 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab and fixed in 6.1.85 with commit 7d0567842b78390dd9b60f00f1d8f838d540e325 |
| Issue introduced in 4.1 with commit 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab and fixed in 6.6.26 with commit f4877225313d474659ee53150ccc3d553a978727 |
| Issue introduced in 4.1 with commit 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab and fixed in 6.8.5 with commit e09cbe017311508c21e0739e97198a8388b98981 |
| Issue introduced in 4.1 with commit 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab and fixed in 6.9 with commit 18685451fc4e546fc0e718580d32df3c0e5c8272 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-26921 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| include/linux/skbuff.h |
| net/ipv4/inet_fragment.c |
| net/ipv4/ip_fragment.c |
| net/ipv6/netfilter/nf_conntrack_reasm.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/1b6de5e6575b56502665c65cf93b0ae6aa0f51ab |
| https://git.kernel.org/stable/c/9705f447bf9a6cd088300ad2c407b5e1c6591091 |
| https://git.kernel.org/stable/c/4318608dc28ef184158b4045896740716bea23f0 |
| https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325 |
| https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727 |
| https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981 |
| https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272 |
