cve/published/2024/CVE-2024-35973.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35973: geneve: fix header validation in geneve[6]_xmit_skb

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 geneve: fix header validation in geneve[6]_xmit_skb

 syzbot is able to trigger an uninit-value in geneve_xmit() [1]

 Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())
 uses skb_protocol(skb, true), pskb_inet_may_pull() is only using
 skb->protocol.

 If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,
 pskb_inet_may_pull() does nothing at all.

 If a vlan tag was provided by the caller (af_packet in the syzbot case),
 the network header might not point to the correct location, and skb
 linear part could be smaller than expected.

 Add skb_vlan_inet_prepare() to perform a complete mac validation.

 Use this in geneve for the moment, I suspect we need to adopt this
 more broadly.

 v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest
    - Only call __vlan_get_protocol() for vlan types.

 v2,v3 - Addressed Sabrina comments on v1 and v2

 [1]

 BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]
  BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030
   geneve_xmit_skb drivers/net/geneve.c:910 [inline]
   geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030
   __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
   netdev_start_xmit include/linux/netdevice.h:4917 [inline]
   xmit_one net/core/dev.c:3531 [inline]
   dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547
   __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335
   dev_queue_xmit include/linux/netdevice.h:3091 [inline]
   packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
   packet_snd net/packet/af_packet.c:3081 [inline]
   packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113
   sock_sendmsg_nosec net/socket.c:730 [inline]
   __sock_sendmsg+0x30f/0x380 net/socket.c:745
   __sys_sendto+0x685/0x830 net/socket.c:2191
   __do_sys_sendto net/socket.c:2203 [inline]
   __se_sys_sendto net/socket.c:2199 [inline]
   __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199
  do_syscall_64+0xd5/0x1f0
  entry_SYSCALL_64_after_hwframe+0x6d/0x75

 Uninit was created at:
   slab_post_alloc_hook mm/slub.c:3804 [inline]
   slab_alloc_node mm/slub.c:3845 [inline]
   kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
   kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
   __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
   alloc_skb include/linux/skbuff.h:1318 [inline]
   alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
   sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
   packet_alloc_skb net/packet/af_packet.c:2930 [inline]
   packet_snd net/packet/af_packet.c:3024 [inline]
   packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113
   sock_sendmsg_nosec net/socket.c:730 [inline]
   __sock_sendmsg+0x30f/0x380 net/socket.c:745
   __sys_sendto+0x685/0x830 net/socket.c:2191
   __do_sys_sendto net/socket.c:2203 [inline]
   __se_sys_sendto net/socket.c:2199 [inline]
   __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199
  do_syscall_64+0xd5/0x1f0
  entry_SYSCALL_64_after_hwframe+0x6d/0x75

 CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024

 The Linux kernel CVE team has assigned CVE-2024-35973 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19.191 with commit 35385daa8db320d2d9664930c28e732578b0d7de and fixed in 4.19.313 with commit 43be590456e1f3566054ce78ae2dbb68cbe1a536
 	Issue introduced in 5.4.119 with commit 6f92124d74419797fadfbcd5b7a72c384a6413ad and fixed in 5.4.275 with commit d3adf11d7993518a39bd02b383cfe657ccc0023c
 	Issue introduced in 5.10.37 with commit 71ad9260c001b217d704cda88ecea251b2d367da and fixed in 5.10.216 with commit 10204df9beda4978bd1d0c2db0d8375bfb03b915
 	Issue introduced in 5.13 with commit d13f048dd40e8577260cd43faea8ec9b77520197 and fixed in 5.15.156 with commit 3c1ae6de74e3d2d6333d29a2d3e13e6094596c79
 	Issue introduced in 5.13 with commit d13f048dd40e8577260cd43faea8ec9b77520197 and fixed in 6.1.87 with commit 4a1b65d1e55d53b397cb27014208be1e04172670
 	Issue introduced in 5.13 with commit d13f048dd40e8577260cd43faea8ec9b77520197 and fixed in 6.6.28 with commit 190d9efa5773f26d6f334b1b8be282c4fa13fd5e
 	Issue introduced in 5.13 with commit d13f048dd40e8577260cd43faea8ec9b77520197 and fixed in 6.8.7 with commit 357163fff3a6e48fe74745425a32071ec9caf852
 	Issue introduced in 5.13 with commit d13f048dd40e8577260cd43faea8ec9b77520197 and fixed in 6.9 with commit d8a6213d70accb403b82924a1c229e733433a5ef
 	Issue introduced in 5.11.21 with commit 9a51e36ebf433adf59c051bec33f5aa54640bb4d
 	Issue introduced in 5.12.4 with commit 21815f28af8081b258552c111774ff320cf38d38

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35973
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/geneve.c
 	include/net/ip_tunnels.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536
 	https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c
 	https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915
 	https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79
 	https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670
 	https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e
 	https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852
 	https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35973: geneve: fix header validation in geneve[6]_xmit_skb

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	geneve: fix header validation in geneve[6]_xmit_skb

	syzbot is able to trigger an uninit-value in geneve_xmit() [1]

	Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())
	uses skb_protocol(skb, true), pskb_inet_may_pull() is only using
	skb->protocol.

	If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,
	pskb_inet_may_pull() does nothing at all.

	If a vlan tag was provided by the caller (af_packet in the syzbot case),
	the network header might not point to the correct location, and skb
	linear part could be smaller than expected.

	Add skb_vlan_inet_prepare() to perform a complete mac validation.

	Use this in geneve for the moment, I suspect we need to adopt this
	more broadly.

	v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest
	- Only call __vlan_get_protocol() for vlan types.

	v2,v3 - Addressed Sabrina comments on v1 and v2

	[1]

	BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]
	BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030
	geneve_xmit_skb drivers/net/geneve.c:910 [inline]
	geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030
	__netdev_start_xmit include/linux/netdevice.h:4903 [inline]
	netdev_start_xmit include/linux/netdevice.h:4917 [inline]
	xmit_one net/core/dev.c:3531 [inline]
	dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547
	__dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335
	dev_queue_xmit include/linux/netdevice.h:3091 [inline]
	packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
	packet_snd net/packet/af_packet.c:3081 [inline]
	packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x30f/0x380 net/socket.c:745
	__sys_sendto+0x685/0x830 net/socket.c:2191
	__do_sys_sendto net/socket.c:2203 [inline]
	__se_sys_sendto net/socket.c:2199 [inline]
	__x64_sys_sendto+0x125/0x1d0 net/socket.c:2199
	do_syscall_64+0xd5/0x1f0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75

	Uninit was created at:
	slab_post_alloc_hook mm/slub.c:3804 [inline]
	slab_alloc_node mm/slub.c:3845 [inline]
	kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
	kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
	__alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
	alloc_skb include/linux/skbuff.h:1318 [inline]
	alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
	sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
	packet_alloc_skb net/packet/af_packet.c:2930 [inline]
	packet_snd net/packet/af_packet.c:3024 [inline]
	packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x30f/0x380 net/socket.c:745
	__sys_sendto+0x685/0x830 net/socket.c:2191
	__do_sys_sendto net/socket.c:2203 [inline]
	__se_sys_sendto net/socket.c:2199 [inline]
	__x64_sys_sendto+0x125/0x1d0 net/socket.c:2199
	do_syscall_64+0xd5/0x1f0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75

	CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024

	The Linux kernel CVE team has assigned CVE-2024-35973 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19.191 with commit 35385daa8db320d2d9664930c28e732578b0d7de and fixed in 4.19.313 with commit 43be590456e1f3566054ce78ae2dbb68cbe1a536
	Issue introduced in 5.4.119 with commit 6f92124d74419797fadfbcd5b7a72c384a6413ad and fixed in 5.4.275 with commit d3adf11d7993518a39bd02b383cfe657ccc0023c
	Issue introduced in 5.10.37 with commit 71ad9260c001b217d704cda88ecea251b2d367da and fixed in 5.10.216 with commit 10204df9beda4978bd1d0c2db0d8375bfb03b915
	Issue introduced in 5.13 with commit d13f048dd40e8577260cd43faea8ec9b77520197 and fixed in 5.15.156 with commit 3c1ae6de74e3d2d6333d29a2d3e13e6094596c79
	Issue introduced in 5.13 with commit d13f048dd40e8577260cd43faea8ec9b77520197 and fixed in 6.1.87 with commit 4a1b65d1e55d53b397cb27014208be1e04172670
	Issue introduced in 5.13 with commit d13f048dd40e8577260cd43faea8ec9b77520197 and fixed in 6.6.28 with commit 190d9efa5773f26d6f334b1b8be282c4fa13fd5e
	Issue introduced in 5.13 with commit d13f048dd40e8577260cd43faea8ec9b77520197 and fixed in 6.8.7 with commit 357163fff3a6e48fe74745425a32071ec9caf852
	Issue introduced in 5.13 with commit d13f048dd40e8577260cd43faea8ec9b77520197 and fixed in 6.9 with commit d8a6213d70accb403b82924a1c229e733433a5ef
	Issue introduced in 5.11.21 with commit 9a51e36ebf433adf59c051bec33f5aa54640bb4d
	Issue introduced in 5.12.4 with commit 21815f28af8081b258552c111774ff320cf38d38

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35973
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/geneve.c
	include/net/ip_tunnels.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536
	https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c
	https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915
	https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79
	https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670
	https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e
	https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852
	https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef