cve/published/2024/CVE-2024-36008.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36008: ipv4: check for NULL idev in ip_route_use_hint()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ipv4: check for NULL idev in ip_route_use_hint()

 syzbot was able to trigger a NULL deref in fib_validate_source()
 in an old tree [1].

 It appears the bug exists in latest trees.

 All calls to __in_dev_get_rcu() must be checked for a NULL result.

 [1]
 general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN
 KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
 CPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
  RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425
 Code: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf
 RSP: 0018:ffffc900015fee40 EFLAGS: 00010246
 RAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0
 RDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0
 RBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000
 R10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000
 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000
 FS:  00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
   ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231
   ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327
   ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]
   ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638
   ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673
   __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]
   __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620
   __netif_receive_skb_list net/core/dev.c:5672 [inline]
   netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764
   netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816
   xdp_recv_frames net/bpf/test_run.c:257 [inline]
   xdp_test_run_batch net/bpf/test_run.c:335 [inline]
   bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363
   bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376
   bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736
   __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115
   __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]
   __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]
   __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199

 The Linux kernel CVE team has assigned CVE-2024-36008 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.5 with commit 02b24941619fcce3d280311ac73b1e461552e9c8 and fixed in 5.10.216 with commit 7da0f91681c4902bc5c210356fdd963b04d5d1d4
 	Issue introduced in 5.5 with commit 02b24941619fcce3d280311ac73b1e461552e9c8 and fixed in 5.15.158 with commit 03b5a9b2b526862b21bcc31976e393a6e63785d1
 	Issue introduced in 5.5 with commit 02b24941619fcce3d280311ac73b1e461552e9c8 and fixed in 6.1.90 with commit 7a25bfd12733a8f38f8ca47c581f876c3d481ac0
 	Issue introduced in 5.5 with commit 02b24941619fcce3d280311ac73b1e461552e9c8 and fixed in 6.6.30 with commit 8240c7308c941db4d9a0a91b54eca843c616a655
 	Issue introduced in 5.5 with commit 02b24941619fcce3d280311ac73b1e461552e9c8 and fixed in 6.8.9 with commit c71ea3534ec0936fc57e6fb271c7cc6a2f68c295
 	Issue introduced in 5.5 with commit 02b24941619fcce3d280311ac73b1e461552e9c8 and fixed in 6.9 with commit 58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36008
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/route.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7da0f91681c4902bc5c210356fdd963b04d5d1d4
 	https://git.kernel.org/stable/c/03b5a9b2b526862b21bcc31976e393a6e63785d1
 	https://git.kernel.org/stable/c/7a25bfd12733a8f38f8ca47c581f876c3d481ac0
 	https://git.kernel.org/stable/c/8240c7308c941db4d9a0a91b54eca843c616a655
 	https://git.kernel.org/stable/c/c71ea3534ec0936fc57e6fb271c7cc6a2f68c295
 	https://git.kernel.org/stable/c/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36008: ipv4: check for NULL idev in ip_route_use_hint()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ipv4: check for NULL idev in ip_route_use_hint()

	syzbot was able to trigger a NULL deref in fib_validate_source()
	in an old tree [1].

	It appears the bug exists in latest trees.

	All calls to __in_dev_get_rcu() must be checked for a NULL result.

	[1]
	general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN
	KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
	CPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
	RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425
	Code: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf
	RSP: 0018:ffffc900015fee40 EFLAGS: 00010246
	RAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0
	RDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0
	RBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000
	R10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000
	R13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000
	FS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231
	ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327
	ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]
	ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638
	ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673
	__netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]
	__netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620
	__netif_receive_skb_list net/core/dev.c:5672 [inline]
	netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764
	netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816
	xdp_recv_frames net/bpf/test_run.c:257 [inline]
	xdp_test_run_batch net/bpf/test_run.c:335 [inline]
	bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363
	bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376
	bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736
	__sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115
	__do_sys_bpf kernel/bpf/syscall.c:5201 [inline]
	__se_sys_bpf kernel/bpf/syscall.c:5199 [inline]
	__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199

	The Linux kernel CVE team has assigned CVE-2024-36008 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.5 with commit 02b24941619fcce3d280311ac73b1e461552e9c8 and fixed in 5.10.216 with commit 7da0f91681c4902bc5c210356fdd963b04d5d1d4
	Issue introduced in 5.5 with commit 02b24941619fcce3d280311ac73b1e461552e9c8 and fixed in 5.15.158 with commit 03b5a9b2b526862b21bcc31976e393a6e63785d1
	Issue introduced in 5.5 with commit 02b24941619fcce3d280311ac73b1e461552e9c8 and fixed in 6.1.90 with commit 7a25bfd12733a8f38f8ca47c581f876c3d481ac0
	Issue introduced in 5.5 with commit 02b24941619fcce3d280311ac73b1e461552e9c8 and fixed in 6.6.30 with commit 8240c7308c941db4d9a0a91b54eca843c616a655
	Issue introduced in 5.5 with commit 02b24941619fcce3d280311ac73b1e461552e9c8 and fixed in 6.8.9 with commit c71ea3534ec0936fc57e6fb271c7cc6a2f68c295
	Issue introduced in 5.5 with commit 02b24941619fcce3d280311ac73b1e461552e9c8 and fixed in 6.9 with commit 58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36008
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/route.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7da0f91681c4902bc5c210356fdd963b04d5d1d4
	https://git.kernel.org/stable/c/03b5a9b2b526862b21bcc31976e393a6e63785d1
	https://git.kernel.org/stable/c/7a25bfd12733a8f38f8ca47c581f876c3d481ac0
	https://git.kernel.org/stable/c/8240c7308c941db4d9a0a91b54eca843c616a655
	https://git.kernel.org/stable/c/c71ea3534ec0936fc57e6fb271c7cc6a2f68c295
	https://git.kernel.org/stable/c/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1