cve/published/2024/CVE-2024-43817.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-43817: net: missing check virtio

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: missing check virtio

 Two missing check in virtio_net_hdr_to_skb() allowed syzbot
 to crash kernels again

 1. After the skb_segment function the buffer may become non-linear
 (nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere
 the __skb_linearize function will not be executed, then the buffer will
 remain non-linear. Then the condition (offset >= skb_headlen(skb))
 becomes true, which causes WARN_ON_ONCE in skb_checksum_help.

 2. The struct sk_buff and struct virtio_net_hdr members must be
 mathematically related.
 (gso_size) must be greater than (needed) otherwise WARN_ON_ONCE.
 (remainder) must be greater than (needed) otherwise WARN_ON_ONCE.
 (remainder) may be 0 if division is without remainder.

 offset+2 (4191) > skb_headlen() (1116)
 WARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303
 Modules linked in:
 CPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0
 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
 RIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303
 Code: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef
 RSP: 0018:ffffc90003a9f338 EFLAGS: 00010286
 RAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209
 RDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001
 RBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c
 R13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d
 FS:  0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <TASK>
  ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777
  ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584
  ip_finish_output_gso net/ipv4/ip_output.c:286 [inline]
  __ip_finish_output net/ipv4/ip_output.c:308 [inline]
  __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295
  ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323
  NF_HOOK_COND include/linux/netfilter.h:303 [inline]
  ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433
  dst_output include/net/dst.h:451 [inline]
  ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129
  iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82
  ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline]
  sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076
  __netdev_start_xmit include/linux/netdevice.h:4940 [inline]
  netdev_start_xmit include/linux/netdevice.h:4954 [inline]
  xmit_one net/core/dev.c:3545 [inline]
  dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561
  __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346
  dev_queue_xmit include/linux/netdevice.h:3134 [inline]
  packet_xmit+0x257/0x380 net/packet/af_packet.c:276
  packet_snd net/packet/af_packet.c:3087 [inline]
  packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0xd5/0x180 net/socket.c:745
  __sys_sendto+0x255/0x340 net/socket.c:2190
  __do_sys_sendto net/socket.c:2202 [inline]
  __se_sys_sendto net/socket.c:2198 [inline]
  __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
  entry_SYSCALL_64_after_hwframe+0x63/0x6b

 Found by Linux Verification Center (linuxtesting.org) with Syzkaller

 The Linux kernel CVE team has assigned CVE-2024-43817 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.12 with commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db and fixed in 5.15.165 with commit 27874ca77bd2b05a3779c7b3a5c75d8dd7f0b40f
 	Issue introduced in 5.12 with commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db and fixed in 6.1.103 with commit 5b1997487a3f3373b0f580c8a20b56c1b64b0775
 	Issue introduced in 5.12 with commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db and fixed in 6.6.44 with commit 90d41ebe0cd4635f6410471efc1dd71b33e894cf
 	Issue introduced in 5.12 with commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db and fixed in 6.10.3 with commit e9164903b8b303c34723177b02fe91e49e3c4cd7
 	Issue introduced in 5.12 with commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db and fixed in 6.11 with commit e269d79c7d35aa3808b1f3c1737d63dab504ddc8
 	Issue introduced in 4.14.242 with commit 2789bc090f4a2caef0cceb3f108867de608bb23a
 	Issue introduced in 4.19.201 with commit 16851e34b621bc7e652c508bb28c47948fb86958
 	Issue introduced in 5.4.121 with commit a05fb4ac72fb2ddbdcb135c87b0087ac59fa4de4
 	Issue introduced in 5.10.39 with commit a36703d08c83b1488a2f2922f0dc4263125ccd2d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-43817
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/linux/virtio_net.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/27874ca77bd2b05a3779c7b3a5c75d8dd7f0b40f
 	https://git.kernel.org/stable/c/5b1997487a3f3373b0f580c8a20b56c1b64b0775
 	https://git.kernel.org/stable/c/90d41ebe0cd4635f6410471efc1dd71b33e894cf
 	https://git.kernel.org/stable/c/e9164903b8b303c34723177b02fe91e49e3c4cd7
 	https://git.kernel.org/stable/c/e269d79c7d35aa3808b1f3c1737d63dab504ddc8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-43817: net: missing check virtio

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: missing check virtio

	Two missing check in virtio_net_hdr_to_skb() allowed syzbot
	to crash kernels again

	1. After the skb_segment function the buffer may become non-linear
	(nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere
	the __skb_linearize function will not be executed, then the buffer will
	remain non-linear. Then the condition (offset >= skb_headlen(skb))
	becomes true, which causes WARN_ON_ONCE in skb_checksum_help.

	2. The struct sk_buff and struct virtio_net_hdr members must be
	mathematically related.
	(gso_size) must be greater than (needed) otherwise WARN_ON_ONCE.
	(remainder) must be greater than (needed) otherwise WARN_ON_ONCE.
	(remainder) may be 0 if division is without remainder.

	offset+2 (4191) > skb_headlen() (1116)
	WARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303
	Modules linked in:
	CPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0
	Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
	RIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303
	Code: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef
	RSP: 0018:ffffc90003a9f338 EFLAGS: 00010286
	RAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209
	RDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001
	RBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c
	R13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d
	FS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777
	ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584
	ip_finish_output_gso net/ipv4/ip_output.c:286 [inline]
	__ip_finish_output net/ipv4/ip_output.c:308 [inline]
	__ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295
	ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323
	NF_HOOK_COND include/linux/netfilter.h:303 [inline]
	ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433
	dst_output include/net/dst.h:451 [inline]
	ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129
	iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82
	ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline]
	sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076
	__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
	netdev_start_xmit include/linux/netdevice.h:4954 [inline]
	xmit_one net/core/dev.c:3545 [inline]
	dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561
	__dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346
	dev_queue_xmit include/linux/netdevice.h:3134 [inline]
	packet_xmit+0x257/0x380 net/packet/af_packet.c:276
	packet_snd net/packet/af_packet.c:3087 [inline]
	packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0xd5/0x180 net/socket.c:745
	__sys_sendto+0x255/0x340 net/socket.c:2190
	__do_sys_sendto net/socket.c:2202 [inline]
	__se_sys_sendto net/socket.c:2198 [inline]
	__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
	do_syscall_x64 arch/x86/entry/common.c:51 [inline]
	do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
	entry_SYSCALL_64_after_hwframe+0x63/0x6b

	Found by Linux Verification Center (linuxtesting.org) with Syzkaller

	The Linux kernel CVE team has assigned CVE-2024-43817 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.12 with commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db and fixed in 5.15.165 with commit 27874ca77bd2b05a3779c7b3a5c75d8dd7f0b40f
	Issue introduced in 5.12 with commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db and fixed in 6.1.103 with commit 5b1997487a3f3373b0f580c8a20b56c1b64b0775
	Issue introduced in 5.12 with commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db and fixed in 6.6.44 with commit 90d41ebe0cd4635f6410471efc1dd71b33e894cf
	Issue introduced in 5.12 with commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db and fixed in 6.10.3 with commit e9164903b8b303c34723177b02fe91e49e3c4cd7
	Issue introduced in 5.12 with commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db and fixed in 6.11 with commit e269d79c7d35aa3808b1f3c1737d63dab504ddc8
	Issue introduced in 4.14.242 with commit 2789bc090f4a2caef0cceb3f108867de608bb23a
	Issue introduced in 4.19.201 with commit 16851e34b621bc7e652c508bb28c47948fb86958
	Issue introduced in 5.4.121 with commit a05fb4ac72fb2ddbdcb135c87b0087ac59fa4de4
	Issue introduced in 5.10.39 with commit a36703d08c83b1488a2f2922f0dc4263125ccd2d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-43817
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/linux/virtio_net.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/27874ca77bd2b05a3779c7b3a5c75d8dd7f0b40f
	https://git.kernel.org/stable/c/5b1997487a3f3373b0f580c8a20b56c1b64b0775
	https://git.kernel.org/stable/c/90d41ebe0cd4635f6410471efc1dd71b33e894cf
	https://git.kernel.org/stable/c/e9164903b8b303c34723177b02fe91e49e3c4cd7
	https://git.kernel.org/stable/c/e269d79c7d35aa3808b1f3c1737d63dab504ddc8