cve/published/2024/CVE-2024-41090.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41090: tap: add missing verification for short frame

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tap: add missing verification for short frame

 The cited commit missed to check against the validity of the frame length
 in the tap_get_user_xdp() path, which could cause a corrupted skb to be
 sent downstack. Even before the skb is transmitted, the
 tap_get_user_xdp()-->skb_set_network_header() may assume the size is more
 than ETH_HLEN. Once transmitted, this could either cause out-of-bound
 access beyond the actual length, or confuse the underlayer with incorrect
 or inconsistent header length in the skb metadata.

 In the alternative path, tap_get_user() already prohibits short frame which
 has the length less than Ethernet header size from being transmitted.

 This is to drop any frame shorter than the Ethernet header size just like
 how tap_get_user() does.

 CVE: CVE-2024-41090

 The Linux kernel CVE team has assigned CVE-2024-41090 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 5.4.281 with commit 8be915fc5ff9a5e296f6538be12ea75a1a93bdea
 	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 5.10.223 with commit 7431144b406ae82807eb87d8c98e518475b0450f
 	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 5.15.164 with commit e5e5e63c506b93b89b01f522b6a7343585f784e6
 	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 6.1.102 with commit ee93e6da30377cf2a75e16cd32bb9fcd86a61c46
 	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 6.6.43 with commit aa6a5704cab861c9b2ae9f475076e1881e87f5aa
 	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 6.9.12 with commit 73d462a38d5f782b7c872fe9ae8393d9ef5483da
 	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 6.10.2 with commit e1a786b9bbb767fd1c922d424aaa8078cc542309
 	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 6.11 with commit ed7f2afdd0e043a397677e597ced0830b83ba0b3

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41090
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/tap.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8be915fc5ff9a5e296f6538be12ea75a1a93bdea
 	https://git.kernel.org/stable/c/7431144b406ae82807eb87d8c98e518475b0450f
 	https://git.kernel.org/stable/c/e5e5e63c506b93b89b01f522b6a7343585f784e6
 	https://git.kernel.org/stable/c/ee93e6da30377cf2a75e16cd32bb9fcd86a61c46
 	https://git.kernel.org/stable/c/aa6a5704cab861c9b2ae9f475076e1881e87f5aa
 	https://git.kernel.org/stable/c/73d462a38d5f782b7c872fe9ae8393d9ef5483da
 	https://git.kernel.org/stable/c/e1a786b9bbb767fd1c922d424aaa8078cc542309
 	https://git.kernel.org/stable/c/ed7f2afdd0e043a397677e597ced0830b83ba0b3
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41090: tap: add missing verification for short frame

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tap: add missing verification for short frame

	The cited commit missed to check against the validity of the frame length
	in the tap_get_user_xdp() path, which could cause a corrupted skb to be
	sent downstack. Even before the skb is transmitted, the
	tap_get_user_xdp()-->skb_set_network_header() may assume the size is more
	than ETH_HLEN. Once transmitted, this could either cause out-of-bound
	access beyond the actual length, or confuse the underlayer with incorrect
	or inconsistent header length in the skb metadata.

	In the alternative path, tap_get_user() already prohibits short frame which
	has the length less than Ethernet header size from being transmitted.

	This is to drop any frame shorter than the Ethernet header size just like
	how tap_get_user() does.

	CVE: CVE-2024-41090

	The Linux kernel CVE team has assigned CVE-2024-41090 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 5.4.281 with commit 8be915fc5ff9a5e296f6538be12ea75a1a93bdea
	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 5.10.223 with commit 7431144b406ae82807eb87d8c98e518475b0450f
	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 5.15.164 with commit e5e5e63c506b93b89b01f522b6a7343585f784e6
	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 6.1.102 with commit ee93e6da30377cf2a75e16cd32bb9fcd86a61c46
	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 6.6.43 with commit aa6a5704cab861c9b2ae9f475076e1881e87f5aa
	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 6.9.12 with commit 73d462a38d5f782b7c872fe9ae8393d9ef5483da
	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 6.10.2 with commit e1a786b9bbb767fd1c922d424aaa8078cc542309
	Issue introduced in 4.20 with commit 0efac27791ee068075d80f07c55a229b1335ce12 and fixed in 6.11 with commit ed7f2afdd0e043a397677e597ced0830b83ba0b3

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41090
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/tap.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8be915fc5ff9a5e296f6538be12ea75a1a93bdea
	https://git.kernel.org/stable/c/7431144b406ae82807eb87d8c98e518475b0450f
	https://git.kernel.org/stable/c/e5e5e63c506b93b89b01f522b6a7343585f784e6
	https://git.kernel.org/stable/c/ee93e6da30377cf2a75e16cd32bb9fcd86a61c46
	https://git.kernel.org/stable/c/aa6a5704cab861c9b2ae9f475076e1881e87f5aa
	https://git.kernel.org/stable/c/73d462a38d5f782b7c872fe9ae8393d9ef5483da
	https://git.kernel.org/stable/c/e1a786b9bbb767fd1c922d424aaa8078cc542309
	https://git.kernel.org/stable/c/ed7f2afdd0e043a397677e597ced0830b83ba0b3