cve/published/2024/CVE-2024-35888.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35888: erspan: make sure erspan_base_hdr is present in skb->head

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 erspan: make sure erspan_base_hdr is present in skb->head

 syzbot reported a problem in ip6erspan_rcv() [1]

 Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make
 sure erspan_base_hdr is present in skb linear part (skb->head)
 before getting @ver field from it.

 Add the missing pskb_may_pull() calls.

 v2: Reload iph pointer in erspan_rcv() after pskb_may_pull()
     because skb->head might have changed.

 [1]

  BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
  BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]
  BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
  BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
   pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
   pskb_may_pull include/linux/skbuff.h:2756 [inline]
   ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
   gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
   ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438
   ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
   NF_HOOK include/linux/netfilter.h:314 [inline]
   ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
   ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
   dst_input include/net/dst.h:460 [inline]
   ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79
   NF_HOOK include/linux/netfilter.h:314 [inline]
   ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310
   __netif_receive_skb_one_core net/core/dev.c:5538 [inline]
   __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652
   netif_receive_skb_internal net/core/dev.c:5738 [inline]
   netif_receive_skb+0x58/0x660 net/core/dev.c:5798
   tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
   tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002
   tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
   call_write_iter include/linux/fs.h:2108 [inline]
   new_sync_write fs/read_write.c:497 [inline]
   vfs_write+0xb63/0x1520 fs/read_write.c:590
   ksys_write+0x20f/0x4c0 fs/read_write.c:643
   __do_sys_write fs/read_write.c:655 [inline]
   __se_sys_write fs/read_write.c:652 [inline]
   __x64_sys_write+0x93/0xe0 fs/read_write.c:652
  do_syscall_64+0xd5/0x1f0
  entry_SYSCALL_64_after_hwframe+0x6d/0x75

 Uninit was created at:
   slab_post_alloc_hook mm/slub.c:3804 [inline]
   slab_alloc_node mm/slub.c:3845 [inline]
   kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
   kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
   __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
   alloc_skb include/linux/skbuff.h:1318 [inline]
   alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
   sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
   tun_alloc_skb drivers/net/tun.c:1525 [inline]
   tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846
   tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
   call_write_iter include/linux/fs.h:2108 [inline]
   new_sync_write fs/read_write.c:497 [inline]
   vfs_write+0xb63/0x1520 fs/read_write.c:590
   ksys_write+0x20f/0x4c0 fs/read_write.c:643
   __do_sys_write fs/read_write.c:655 [inline]
   __se_sys_write fs/read_write.c:652 [inline]
   __x64_sys_write+0x93/0xe0 fs/read_write.c:652
  do_syscall_64+0xd5/0x1f0
  entry_SYSCALL_64_after_hwframe+0x6d/0x75

 CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0

 The Linux kernel CVE team has assigned CVE-2024-35888 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19.20 with commit 0a198e0bb8bef51ced179702ad1af6f9e3715b64 and fixed in 4.19.312 with commit 06a939f72a24a7d8251f84cf4c042df86c6666ac
 	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 5.4.274 with commit e54a0c79cdc2548729dd7e2e468b08c5af4d0df5
 	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 5.10.215 with commit b14b9f9503ec823ca75be766dcaeff4f0bfeca85
 	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 5.15.154 with commit ee0088101beee10fa809716d6245d915b09c37c7
 	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 6.1.85 with commit 1db7fcb2b290c47c202b79528824f119fa28937d
 	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 6.6.26 with commit 4e3fdeecec5707678b0d1f18c259dadb97262e9d
 	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 6.8.5 with commit 0ac328a5a4138a6c03dfc3f46017bd5c19167446
 	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 6.9 with commit 17af420545a750f763025149fa7b833a4fc8b8f0
 	Issue introduced in 4.20.7 with commit 5195acd38ae48b7b5c186f522cd4351441297859

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35888
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/ip_gre.c
 	net/ipv6/ip6_gre.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac
 	https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5
 	https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85
 	https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7
 	https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d
 	https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d
 	https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446
 	https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35888: erspan: make sure erspan_base_hdr is present in skb->head

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	erspan: make sure erspan_base_hdr is present in skb->head

	syzbot reported a problem in ip6erspan_rcv() [1]

	Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make
	sure erspan_base_hdr is present in skb linear part (skb->head)
	before getting @ver field from it.

	Add the missing pskb_may_pull() calls.

	v2: Reload iph pointer in erspan_rcv() after pskb_may_pull()
	because skb->head might have changed.

	[1]

	BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
	BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]
	BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
	BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
	pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
	pskb_may_pull include/linux/skbuff.h:2756 [inline]
	ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
	gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
	ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438
	ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
	NF_HOOK include/linux/netfilter.h:314 [inline]
	ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
	ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
	dst_input include/net/dst.h:460 [inline]
	ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79
	NF_HOOK include/linux/netfilter.h:314 [inline]
	ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310
	__netif_receive_skb_one_core net/core/dev.c:5538 [inline]
	__netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652
	netif_receive_skb_internal net/core/dev.c:5738 [inline]
	netif_receive_skb+0x58/0x660 net/core/dev.c:5798
	tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
	tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002
	tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
	call_write_iter include/linux/fs.h:2108 [inline]
	new_sync_write fs/read_write.c:497 [inline]
	vfs_write+0xb63/0x1520 fs/read_write.c:590
	ksys_write+0x20f/0x4c0 fs/read_write.c:643
	__do_sys_write fs/read_write.c:655 [inline]
	__se_sys_write fs/read_write.c:652 [inline]
	__x64_sys_write+0x93/0xe0 fs/read_write.c:652
	do_syscall_64+0xd5/0x1f0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75

	Uninit was created at:
	slab_post_alloc_hook mm/slub.c:3804 [inline]
	slab_alloc_node mm/slub.c:3845 [inline]
	kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
	kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
	__alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
	alloc_skb include/linux/skbuff.h:1318 [inline]
	alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
	sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
	tun_alloc_skb drivers/net/tun.c:1525 [inline]
	tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846
	tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
	call_write_iter include/linux/fs.h:2108 [inline]
	new_sync_write fs/read_write.c:497 [inline]
	vfs_write+0xb63/0x1520 fs/read_write.c:590
	ksys_write+0x20f/0x4c0 fs/read_write.c:643
	__do_sys_write fs/read_write.c:655 [inline]
	__se_sys_write fs/read_write.c:652 [inline]
	__x64_sys_write+0x93/0xe0 fs/read_write.c:652
	do_syscall_64+0xd5/0x1f0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75

	CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0

	The Linux kernel CVE team has assigned CVE-2024-35888 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19.20 with commit 0a198e0bb8bef51ced179702ad1af6f9e3715b64 and fixed in 4.19.312 with commit 06a939f72a24a7d8251f84cf4c042df86c6666ac
	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 5.4.274 with commit e54a0c79cdc2548729dd7e2e468b08c5af4d0df5
	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 5.10.215 with commit b14b9f9503ec823ca75be766dcaeff4f0bfeca85
	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 5.15.154 with commit ee0088101beee10fa809716d6245d915b09c37c7
	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 6.1.85 with commit 1db7fcb2b290c47c202b79528824f119fa28937d
	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 6.6.26 with commit 4e3fdeecec5707678b0d1f18c259dadb97262e9d
	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 6.8.5 with commit 0ac328a5a4138a6c03dfc3f46017bd5c19167446
	Issue introduced in 5.0 with commit cb73ee40b1b381eaf3749e6dbeed567bb38e5258 and fixed in 6.9 with commit 17af420545a750f763025149fa7b833a4fc8b8f0
	Issue introduced in 4.20.7 with commit 5195acd38ae48b7b5c186f522cd4351441297859

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35888
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/ip_gre.c
	net/ipv6/ip6_gre.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac
	https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5
	https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85
	https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7
	https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d
	https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d
	https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446
	https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0