cve/published/2024/CVE-2024-36937.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36937: xdp: use flags field to disambiguate broadcast redirect

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 xdp: use flags field to disambiguate broadcast redirect

 When redirecting a packet using XDP, the bpf_redirect_map() helper will set
 up the redirect destination information in struct bpf_redirect_info (using
 the __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()
 function will read this information after the XDP program returns and pass
 the frame on to the right redirect destination.

 When using the BPF_F_BROADCAST flag to do multicast redirect to a whole
 map, __bpf_xdp_redirect_map() sets the 'map' pointer in struct
 bpf_redirect_info to point to the destination map to be broadcast. And
 xdp_do_redirect() reacts to the value of this map pointer to decide whether
 it's dealing with a broadcast or a single-value redirect. However, if the
 destination map is being destroyed before xdp_do_redirect() is called, the
 map pointer will be cleared out (by bpf_clear_redirect_map()) without
 waiting for any XDP programs to stop running. This causes xdp_do_redirect()
 to think that the redirect was to a single target, but the target pointer
 is also NULL (since broadcast redirects don't have a single target), so
 this causes a crash when a NULL pointer is passed to dev_map_enqueue().

 To fix this, change xdp_do_redirect() to react directly to the presence of
 the BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info
 to disambiguate between a single-target and a broadcast redirect. And only
 read the 'map' pointer if the broadcast flag is set, aborting if that has
 been cleared out in the meantime. This prevents the crash, while keeping
 the atomic (cmpxchg-based) clearing of the map pointer itself, and without
 adding any more checks in the non-broadcast fast path.

 The Linux kernel CVE team has assigned CVE-2024-36937 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.14 with commit e624d4ed4aa8cc3c69d1359b0aaea539203ed266 and fixed in 5.15.159 with commit 12481f30128fbebc2eeb55eb2d56390fdfa30c5e
 	Issue introduced in 5.14 with commit e624d4ed4aa8cc3c69d1359b0aaea539203ed266 and fixed in 6.1.91 with commit 272bfb019f3cc018f654b992115774e77b4f3ffc
 	Issue introduced in 5.14 with commit e624d4ed4aa8cc3c69d1359b0aaea539203ed266 and fixed in 6.6.31 with commit e22e25820fa04ea5eaac4ef7ee200e9923f466a4
 	Issue introduced in 5.14 with commit e624d4ed4aa8cc3c69d1359b0aaea539203ed266 and fixed in 6.8.10 with commit 6fd81f9d333e7b3532036577b1beb74ba1323553
 	Issue introduced in 5.14 with commit e624d4ed4aa8cc3c69d1359b0aaea539203ed266 and fixed in 6.9 with commit 5bcf0dcbf9066348058b88a510c57f70f384c92c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36937
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/core/filter.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e
 	https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc
 	https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4
 	https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553
 	https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36937: xdp: use flags field to disambiguate broadcast redirect

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	xdp: use flags field to disambiguate broadcast redirect

	When redirecting a packet using XDP, the bpf_redirect_map() helper will set
	up the redirect destination information in struct bpf_redirect_info (using
	the __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()
	function will read this information after the XDP program returns and pass
	the frame on to the right redirect destination.

	When using the BPF_F_BROADCAST flag to do multicast redirect to a whole
	map, __bpf_xdp_redirect_map() sets the 'map' pointer in struct
	bpf_redirect_info to point to the destination map to be broadcast. And
	xdp_do_redirect() reacts to the value of this map pointer to decide whether
	it's dealing with a broadcast or a single-value redirect. However, if the
	destination map is being destroyed before xdp_do_redirect() is called, the
	map pointer will be cleared out (by bpf_clear_redirect_map()) without
	waiting for any XDP programs to stop running. This causes xdp_do_redirect()
	to think that the redirect was to a single target, but the target pointer
	is also NULL (since broadcast redirects don't have a single target), so
	this causes a crash when a NULL pointer is passed to dev_map_enqueue().

	To fix this, change xdp_do_redirect() to react directly to the presence of
	the BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info
	to disambiguate between a single-target and a broadcast redirect. And only
	read the 'map' pointer if the broadcast flag is set, aborting if that has
	been cleared out in the meantime. This prevents the crash, while keeping
	the atomic (cmpxchg-based) clearing of the map pointer itself, and without
	adding any more checks in the non-broadcast fast path.

	The Linux kernel CVE team has assigned CVE-2024-36937 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.14 with commit e624d4ed4aa8cc3c69d1359b0aaea539203ed266 and fixed in 5.15.159 with commit 12481f30128fbebc2eeb55eb2d56390fdfa30c5e
	Issue introduced in 5.14 with commit e624d4ed4aa8cc3c69d1359b0aaea539203ed266 and fixed in 6.1.91 with commit 272bfb019f3cc018f654b992115774e77b4f3ffc
	Issue introduced in 5.14 with commit e624d4ed4aa8cc3c69d1359b0aaea539203ed266 and fixed in 6.6.31 with commit e22e25820fa04ea5eaac4ef7ee200e9923f466a4
	Issue introduced in 5.14 with commit e624d4ed4aa8cc3c69d1359b0aaea539203ed266 and fixed in 6.8.10 with commit 6fd81f9d333e7b3532036577b1beb74ba1323553
	Issue introduced in 5.14 with commit e624d4ed4aa8cc3c69d1359b0aaea539203ed266 and fixed in 6.9 with commit 5bcf0dcbf9066348058b88a510c57f70f384c92c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36937
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/core/filter.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e
	https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc
	https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4
	https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553
	https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c