| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-27415: netfilter: bridge: confirm multicast packets before passing them up the stack |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| netfilter: bridge: confirm multicast packets before passing them up the stack |
| |
| conntrack nf_confirm logic cannot handle cloned skbs referencing |
| the same nf_conn entry, which will happen for multicast (broadcast) |
| frames on bridges. |
| |
| Example: |
| macvlan0 |
| | |
| br0 |
| / \ |
| ethX ethY |
| |
| ethX (or Y) receives a L2 multicast or broadcast packet containing |
| an IP packet, flow is not yet in conntrack table. |
| |
| 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting. |
| -> skb->_nfct now references a unconfirmed entry |
| 2. skb is broad/mcast packet. bridge now passes clones out on each bridge |
| interface. |
| 3. skb gets passed up the stack. |
| 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb |
| and schedules a work queue to send them out on the lower devices. |
| |
| The clone skb->_nfct is not a copy, it is the same entry as the |
| original skb. The macvlan rx handler then returns RX_HANDLER_PASS. |
| 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb. |
| |
| The Macvlan broadcast worker and normal confirm path will race. |
| |
| This race will not happen if step 2 already confirmed a clone. In that |
| case later steps perform skb_clone() with skb->_nfct already confirmed (in |
| hash table). This works fine. |
| |
| But such confirmation won't happen when eb/ip/nftables rules dropped the |
| packets before they reached the nf_confirm step in postrouting. |
| |
| Pablo points out that nf_conntrack_bridge doesn't allow use of stateful |
| nat, so we can safely discard the nf_conn entry and let inet call |
| conntrack again. |
| |
| This doesn't work for bridge netfilter: skb could have a nat |
| transformation. Also bridge nf prevents re-invocation of inet prerouting |
| via 'sabotage_in' hook. |
| |
| Work around this problem by explicit confirmation of the entry at LOCAL_IN |
| time, before upper layer has a chance to clone the unconfirmed entry. |
| |
| The downside is that this disables NAT and conntrack helpers. |
| |
| Alternative fix would be to add locking to all code parts that deal with |
| unconfirmed packets, but even if that could be done in a sane way this |
| opens up other problems, for example: |
| |
| -m physdev --physdev-out eth0 -j SNAT --snat-to 1.2.3.4 |
| -m physdev --physdev-out eth1 -j SNAT --snat-to 1.2.3.5 |
| |
| For multicast case, only one of such conflicting mappings will be |
| created, conntrack only handles 1:1 NAT mappings. |
| |
| Users should set create a setup that explicitly marks such traffic |
| NOTRACK (conntrack bypass) to avoid this, but we cannot auto-bypass |
| them, ruleset might have accept rules for untracked traffic already, |
| so user-visible behaviour would change. |
| |
| The Linux kernel CVE team has assigned CVE-2024-27415 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.151 with commit 7c3f28599652acf431a2211168de4a583f30b6d5 |
| Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.81 with commit 2b1414d5e94e477edff1d2c79030f1d742625ea0 |
| Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.21 with commit 80cd0487f630b5382734997c3e5e3003a77db315 |
| Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.7.9 with commit cb734975b0ffa688ff6cc0eed463865bf07b6c01 |
| Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.8 with commit 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-27415 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| include/linux/netfilter.h |
| net/bridge/br_netfilter_hooks.c |
| net/bridge/netfilter/nf_conntrack_bridge.c |
| net/netfilter/nf_conntrack_core.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/7c3f28599652acf431a2211168de4a583f30b6d5 |
| https://git.kernel.org/stable/c/2b1414d5e94e477edff1d2c79030f1d742625ea0 |
| https://git.kernel.org/stable/c/80cd0487f630b5382734997c3e5e3003a77db315 |
| https://git.kernel.org/stable/c/cb734975b0ffa688ff6cc0eed463865bf07b6c01 |
| https://git.kernel.org/stable/c/62e7151ae3eb465e0ab52a20c941ff33bb6332e9 |
