cve/published/2024/CVE-2024-35893.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35893: net/sched: act_skbmod: prevent kernel-infoleak

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/sched: act_skbmod: prevent kernel-infoleak

 syzbot found that tcf_skbmod_dump() was copying four bytes
 from kernel stack to user space [1].

 The issue here is that 'struct tc_skbmod' has a four bytes hole.

 We need to clear the structure before filling fields.

 [1]
 BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
  BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
  BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
  BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
  BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
  BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
   instrument_copy_to_user include/linux/instrumented.h:114 [inline]
   copy_to_user_iter lib/iov_iter.c:24 [inline]
   iterate_ubuf include/linux/iov_iter.h:29 [inline]
   iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
   iterate_and_advance include/linux/iov_iter.h:271 [inline]
   _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
   copy_to_iter include/linux/uio.h:196 [inline]
   simple_copy_to_iter net/core/datagram.c:532 [inline]
   __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420
   skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546
   skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]
   netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962
   sock_recvmsg_nosec net/socket.c:1046 [inline]
   sock_recvmsg+0x2c4/0x340 net/socket.c:1068
   __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242
   __do_sys_recvfrom net/socket.c:2260 [inline]
   __se_sys_recvfrom net/socket.c:2256 [inline]
   __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256
  do_syscall_64+0xd5/0x1f0
  entry_SYSCALL_64_after_hwframe+0x6d/0x75

 Uninit was stored to memory at:
   pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253
   netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317
   netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351
   nlmsg_unicast include/net/netlink.h:1144 [inline]
   nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610
   rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741
   rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]
   tcf_add_notify net/sched/act_api.c:2048 [inline]
   tcf_action_add net/sched/act_api.c:2071 [inline]
   tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119
   rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
   netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
   rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
   netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
   netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
   netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
   sock_sendmsg_nosec net/socket.c:730 [inline]
   __sock_sendmsg+0x30f/0x380 net/socket.c:745
   ____sys_sendmsg+0x877/0xb60 net/socket.c:2584
   ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
   __sys_sendmsg net/socket.c:2667 [inline]
   __do_sys_sendmsg net/socket.c:2676 [inline]
   __se_sys_sendmsg net/socket.c:2674 [inline]
   __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
  do_syscall_64+0xd5/0x1f0
  entry_SYSCALL_64_after_hwframe+0x6d/0x75

 Uninit was stored to memory at:
   __nla_put lib/nlattr.c:1041 [inline]
   nla_put+0x1c6/0x230 lib/nlattr.c:1099
   tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256
   tcf_action_dump_old net/sched/act_api.c:1191 [inline]
   tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227
   tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251
   tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628
   tcf_add_notify_msg net/sched/act_api.c:2023 [inline]
   tcf_add_notify net/sched/act_api.c:2042 [inline]
   tcf_action_add net/sched/act_api.c:2071 [inline]
   tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119
   rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
   netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
   rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
   netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
   netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
   netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
   sock_sendmsg_nosec net/socket.c:730 [inline]
   __sock_sendmsg+0x30f/0x380 net/socket.c:745
   ____sys_sendmsg+0x877/0xb60 net/socket.c:2584
   ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
   __sys_sendmsg net/socket.c:2667 [inline]
   __do_sys_sendmsg net/socket.c:2676 [inline]
   __se_sys_sendmsg net/socket.c:2674 [inline]
   __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
  do_syscall_64+0xd5/0x1f0
  entry_SYSCALL_64_after_hwframe+0x6d/0x75

 Local variable opt created at:
   tcf_skbmod_dump+0x9d/0xc20 net/sched/act_skbmod.c:244
   tcf_action_dump_old net/sched/act_api.c:1191 [inline]
   tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227

 Bytes 188-191 of 248 are uninitialized
 Memory access of size 248 starts at ffff888117697680
 Data copied to user address 00007ffe56d855f0

 The Linux kernel CVE team has assigned CVE-2024-35893 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 4.19.312 with commit f190a4aa03cbd518bd9c62a66e1233984f5fd2ec
 	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 5.4.274 with commit f356eb2fb567e0931143ac1769ac802d3b3e2077
 	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 5.10.215 with commit 5e45dc4408857305f4685abfd7a528a1e58b51b5
 	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 5.15.154 with commit a097fc199ab5f4b5392c5144034c0d2148b55a14
 	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 6.1.85 with commit 55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366
 	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 6.6.26 with commit 729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924
 	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 6.8.5 with commit 7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c
 	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 6.9 with commit d313eb8b77557a6d5855f42d2234bd592c7b50dd

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35893
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/sched/act_skbmod.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec
 	https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077
 	https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5
 	https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14
 	https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366
 	https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924
 	https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c
 	https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35893: net/sched: act_skbmod: prevent kernel-infoleak

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/sched: act_skbmod: prevent kernel-infoleak

	syzbot found that tcf_skbmod_dump() was copying four bytes
	from kernel stack to user space [1].

	The issue here is that 'struct tc_skbmod' has a four bytes hole.

	We need to clear the structure before filling fields.

	[1]
	BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
	BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
	BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
	BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
	BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
	BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
	instrument_copy_to_user include/linux/instrumented.h:114 [inline]
	copy_to_user_iter lib/iov_iter.c:24 [inline]
	iterate_ubuf include/linux/iov_iter.h:29 [inline]
	iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
	iterate_and_advance include/linux/iov_iter.h:271 [inline]
	_copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
	copy_to_iter include/linux/uio.h:196 [inline]
	simple_copy_to_iter net/core/datagram.c:532 [inline]
	__skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420
	skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546
	skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]
	netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962
	sock_recvmsg_nosec net/socket.c:1046 [inline]
	sock_recvmsg+0x2c4/0x340 net/socket.c:1068
	__sys_recvfrom+0x35a/0x5f0 net/socket.c:2242
	__do_sys_recvfrom net/socket.c:2260 [inline]
	__se_sys_recvfrom net/socket.c:2256 [inline]
	__x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256
	do_syscall_64+0xd5/0x1f0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75

	Uninit was stored to memory at:
	pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253
	netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317
	netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351
	nlmsg_unicast include/net/netlink.h:1144 [inline]
	nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610
	rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741
	rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]
	tcf_add_notify net/sched/act_api.c:2048 [inline]
	tcf_action_add net/sched/act_api.c:2071 [inline]
	tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119
	rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
	netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
	rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
	netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
	netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
	netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x30f/0x380 net/socket.c:745
	____sys_sendmsg+0x877/0xb60 net/socket.c:2584
	___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
	__sys_sendmsg net/socket.c:2667 [inline]
	__do_sys_sendmsg net/socket.c:2676 [inline]
	__se_sys_sendmsg net/socket.c:2674 [inline]
	__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
	do_syscall_64+0xd5/0x1f0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75

	Uninit was stored to memory at:
	__nla_put lib/nlattr.c:1041 [inline]
	nla_put+0x1c6/0x230 lib/nlattr.c:1099
	tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256
	tcf_action_dump_old net/sched/act_api.c:1191 [inline]
	tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227
	tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251
	tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628
	tcf_add_notify_msg net/sched/act_api.c:2023 [inline]
	tcf_add_notify net/sched/act_api.c:2042 [inline]
	tcf_action_add net/sched/act_api.c:2071 [inline]
	tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119
	rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
	netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
	rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
	netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
	netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
	netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x30f/0x380 net/socket.c:745
	____sys_sendmsg+0x877/0xb60 net/socket.c:2584
	___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
	__sys_sendmsg net/socket.c:2667 [inline]
	__do_sys_sendmsg net/socket.c:2676 [inline]
	__se_sys_sendmsg net/socket.c:2674 [inline]
	__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
	do_syscall_64+0xd5/0x1f0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75

	Local variable opt created at:
	tcf_skbmod_dump+0x9d/0xc20 net/sched/act_skbmod.c:244
	tcf_action_dump_old net/sched/act_api.c:1191 [inline]
	tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227

	Bytes 188-191 of 248 are uninitialized
	Memory access of size 248 starts at ffff888117697680
	Data copied to user address 00007ffe56d855f0

	The Linux kernel CVE team has assigned CVE-2024-35893 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 4.19.312 with commit f190a4aa03cbd518bd9c62a66e1233984f5fd2ec
	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 5.4.274 with commit f356eb2fb567e0931143ac1769ac802d3b3e2077
	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 5.10.215 with commit 5e45dc4408857305f4685abfd7a528a1e58b51b5
	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 5.15.154 with commit a097fc199ab5f4b5392c5144034c0d2148b55a14
	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 6.1.85 with commit 55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366
	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 6.6.26 with commit 729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924
	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 6.8.5 with commit 7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c
	Issue introduced in 4.9 with commit 86da71b57383d40993cb90baafb3735cffe5d800 and fixed in 6.9 with commit d313eb8b77557a6d5855f42d2234bd592c7b50dd

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35893
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/sched/act_skbmod.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec
	https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077
	https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5
	https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14
	https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366
	https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924
	https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c
	https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd