cve/published/2024/CVE-2024-44999.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-44999: gtp: pull network headers in gtp_dev_xmit()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 gtp: pull network headers in gtp_dev_xmit()

 syzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1]

 We must make sure the IPv4 or Ipv6 header is pulled in skb->head
 before accessing fields in them.

 Use pskb_inet_may_pull() to fix this issue.

 [1]
 BUG: KMSAN: uninit-value in ipv6_pdp_find drivers/net/gtp.c:220 [inline]
  BUG: KMSAN: uninit-value in gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]
  BUG: KMSAN: uninit-value in gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281
   ipv6_pdp_find drivers/net/gtp.c:220 [inline]
   gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]
   gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281
   __netdev_start_xmit include/linux/netdevice.h:4913 [inline]
   netdev_start_xmit include/linux/netdevice.h:4922 [inline]
   xmit_one net/core/dev.c:3580 [inline]
   dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596
   __dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423
   dev_queue_xmit include/linux/netdevice.h:3105 [inline]
   packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
   packet_snd net/packet/af_packet.c:3145 [inline]
   packet_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177
   sock_sendmsg_nosec net/socket.c:730 [inline]
   __sock_sendmsg+0x30f/0x380 net/socket.c:745
   __sys_sendto+0x685/0x830 net/socket.c:2204
   __do_sys_sendto net/socket.c:2216 [inline]
   __se_sys_sendto net/socket.c:2212 [inline]
   __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212
   x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 Uninit was created at:
   slab_post_alloc_hook mm/slub.c:3994 [inline]
   slab_alloc_node mm/slub.c:4037 [inline]
   kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080
   kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583
   __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674
   alloc_skb include/linux/skbuff.h:1320 [inline]
   alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526
   sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815
   packet_alloc_skb net/packet/af_packet.c:2994 [inline]
   packet_snd net/packet/af_packet.c:3088 [inline]
   packet_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177
   sock_sendmsg_nosec net/socket.c:730 [inline]
   __sock_sendmsg+0x30f/0x380 net/socket.c:745
   __sys_sendto+0x685/0x830 net/socket.c:2204
   __do_sys_sendto net/socket.c:2216 [inline]
   __se_sys_sendto net/socket.c:2212 [inline]
   __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212
   x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 CPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 Not tainted 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024

 The Linux kernel CVE team has assigned CVE-2024-44999 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 4.19.321 with commit 3d89d0c4a1c6d4d2a755e826351b0a101dbc86f3
 	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 5.4.283 with commit f5dda8db382c5751c4e572afc7c99df7da1f83ca
 	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 5.10.225 with commit cbb9a969fc190e85195d1b0f08038e7f6199044e
 	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 5.15.166 with commit 1f6b62392453d8f36685d19b761307a8c5617ac1
 	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 6.1.107 with commit 137d565ab89ce3584503b443bc9e00d44f482593
 	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 6.6.48 with commit 34ba4f29f3d9eb52dee37512059efb2afd7e966f
 	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 6.10.7 with commit 3939d787139e359b77aaf9485d1e145d6713d7b9
 	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 6.11 with commit 3a3be7ff9224f424e485287b54be00d2c6bd9c40

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-44999
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/gtp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3d89d0c4a1c6d4d2a755e826351b0a101dbc86f3
 	https://git.kernel.org/stable/c/f5dda8db382c5751c4e572afc7c99df7da1f83ca
 	https://git.kernel.org/stable/c/cbb9a969fc190e85195d1b0f08038e7f6199044e
 	https://git.kernel.org/stable/c/1f6b62392453d8f36685d19b761307a8c5617ac1
 	https://git.kernel.org/stable/c/137d565ab89ce3584503b443bc9e00d44f482593
 	https://git.kernel.org/stable/c/34ba4f29f3d9eb52dee37512059efb2afd7e966f
 	https://git.kernel.org/stable/c/3939d787139e359b77aaf9485d1e145d6713d7b9
 	https://git.kernel.org/stable/c/3a3be7ff9224f424e485287b54be00d2c6bd9c40
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-44999: gtp: pull network headers in gtp_dev_xmit()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	gtp: pull network headers in gtp_dev_xmit()

	syzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1]

	We must make sure the IPv4 or Ipv6 header is pulled in skb->head
	before accessing fields in them.

	Use pskb_inet_may_pull() to fix this issue.

	[1]
	BUG: KMSAN: uninit-value in ipv6_pdp_find drivers/net/gtp.c:220 [inline]
	BUG: KMSAN: uninit-value in gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]
	BUG: KMSAN: uninit-value in gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281
	ipv6_pdp_find drivers/net/gtp.c:220 [inline]
	gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]
	gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281
	__netdev_start_xmit include/linux/netdevice.h:4913 [inline]
	netdev_start_xmit include/linux/netdevice.h:4922 [inline]
	xmit_one net/core/dev.c:3580 [inline]
	dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596
	__dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423
	dev_queue_xmit include/linux/netdevice.h:3105 [inline]
	packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
	packet_snd net/packet/af_packet.c:3145 [inline]
	packet_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x30f/0x380 net/socket.c:745
	__sys_sendto+0x685/0x830 net/socket.c:2204
	__do_sys_sendto net/socket.c:2216 [inline]
	__se_sys_sendto net/socket.c:2212 [inline]
	__x64_sys_sendto+0x125/0x1d0 net/socket.c:2212
	x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Uninit was created at:
	slab_post_alloc_hook mm/slub.c:3994 [inline]
	slab_alloc_node mm/slub.c:4037 [inline]
	kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080
	kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583
	__alloc_skb+0x363/0x7b0 net/core/skbuff.c:674
	alloc_skb include/linux/skbuff.h:1320 [inline]
	alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526
	sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815
	packet_alloc_skb net/packet/af_packet.c:2994 [inline]
	packet_snd net/packet/af_packet.c:3088 [inline]
	packet_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x30f/0x380 net/socket.c:745
	__sys_sendto+0x685/0x830 net/socket.c:2204
	__do_sys_sendto net/socket.c:2216 [inline]
	__se_sys_sendto net/socket.c:2212 [inline]
	__x64_sys_sendto+0x125/0x1d0 net/socket.c:2212
	x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	CPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 Not tainted 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024

	The Linux kernel CVE team has assigned CVE-2024-44999 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 4.19.321 with commit 3d89d0c4a1c6d4d2a755e826351b0a101dbc86f3
	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 5.4.283 with commit f5dda8db382c5751c4e572afc7c99df7da1f83ca
	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 5.10.225 with commit cbb9a969fc190e85195d1b0f08038e7f6199044e
	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 5.15.166 with commit 1f6b62392453d8f36685d19b761307a8c5617ac1
	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 6.1.107 with commit 137d565ab89ce3584503b443bc9e00d44f482593
	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 6.6.48 with commit 34ba4f29f3d9eb52dee37512059efb2afd7e966f
	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 6.10.7 with commit 3939d787139e359b77aaf9485d1e145d6713d7b9
	Issue introduced in 4.7 with commit 459aa660eb1d8ce67080da1983bb81d716aa5a69 and fixed in 6.11 with commit 3a3be7ff9224f424e485287b54be00d2c6bd9c40

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-44999
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/gtp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3d89d0c4a1c6d4d2a755e826351b0a101dbc86f3
	https://git.kernel.org/stable/c/f5dda8db382c5751c4e572afc7c99df7da1f83ca
	https://git.kernel.org/stable/c/cbb9a969fc190e85195d1b0f08038e7f6199044e
	https://git.kernel.org/stable/c/1f6b62392453d8f36685d19b761307a8c5617ac1
	https://git.kernel.org/stable/c/137d565ab89ce3584503b443bc9e00d44f482593
	https://git.kernel.org/stable/c/34ba4f29f3d9eb52dee37512059efb2afd7e966f
	https://git.kernel.org/stable/c/3939d787139e359b77aaf9485d1e145d6713d7b9
	https://git.kernel.org/stable/c/3a3be7ff9224f424e485287b54be00d2c6bd9c40