cve/published/2024/CVE-2024-47713.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47713: wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()

 Since '__dev_queue_xmit()' should be called with interrupts enabled,
 the following backtrace:

 ieee80211_do_stop()
  ...
  spin_lock_irqsave(&local->queue_stop_reason_lock, flags)
  ...
  ieee80211_free_txskb()
   ieee80211_report_used_skb()
    ieee80211_report_ack_skb()
     cfg80211_mgmt_tx_status_ext()
      nl80211_frame_tx_status()
       genlmsg_multicast_netns()
        genlmsg_multicast_netns_filtered()
         nlmsg_multicast_filtered()
 	 netlink_broadcast_filtered()
 	  do_one_broadcast()
 	   netlink_broadcast_deliver()
 	    __netlink_sendskb()
 	     netlink_deliver_tap()
 	      __netlink_deliver_tap_skb()
 	       dev_queue_xmit()
 	        __dev_queue_xmit() ; with IRQS disabled
  ...
  spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags)

 issues the warning (as reported by syzbot reproducer):

 WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120

 Fix this by implementing a two-phase skb reclamation in
 'ieee80211_do_stop()', where actual work is performed
 outside of a section with interrupts disabled.

 The Linux kernel CVE team has assigned CVE-2024-47713 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 4.19.323 with commit 07eb0bd7b0a8abed9d45e0f567c9af1dc83e5268
 	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 5.4.285 with commit 04f75f5bae33349283d6886901d9acd2f110c024
 	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 5.10.227 with commit f232916fab67ca1c3425926df4a866e59ff26908
 	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 5.15.168 with commit acb53a716e492a02479345157c43f21edc8bc64b
 	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 6.1.113 with commit db5ca4b42ccfa42d2af7b335ff12578e57775c02
 	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 6.6.54 with commit 058c9026ad79dc98572442fd4c7e9a36aba6f596
 	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 6.10.13 with commit eab272972cffff9cd973b8e4055a8e81c64f7e6a
 	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 6.11.2 with commit ad4b7068b101fbbb4a9ca4b99b25eb051a9482ec
 	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 6.12 with commit 9d301de12da6e1bb069a9835c38359b8e8135121

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47713
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mac80211/iface.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/07eb0bd7b0a8abed9d45e0f567c9af1dc83e5268
 	https://git.kernel.org/stable/c/04f75f5bae33349283d6886901d9acd2f110c024
 	https://git.kernel.org/stable/c/f232916fab67ca1c3425926df4a866e59ff26908
 	https://git.kernel.org/stable/c/acb53a716e492a02479345157c43f21edc8bc64b
 	https://git.kernel.org/stable/c/db5ca4b42ccfa42d2af7b335ff12578e57775c02
 	https://git.kernel.org/stable/c/058c9026ad79dc98572442fd4c7e9a36aba6f596
 	https://git.kernel.org/stable/c/eab272972cffff9cd973b8e4055a8e81c64f7e6a
 	https://git.kernel.org/stable/c/ad4b7068b101fbbb4a9ca4b99b25eb051a9482ec
 	https://git.kernel.org/stable/c/9d301de12da6e1bb069a9835c38359b8e8135121
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47713: wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()

	Since '__dev_queue_xmit()' should be called with interrupts enabled,
	the following backtrace:

	ieee80211_do_stop()
	...
	spin_lock_irqsave(&local->queue_stop_reason_lock, flags)
	...
	ieee80211_free_txskb()
	ieee80211_report_used_skb()
	ieee80211_report_ack_skb()
	cfg80211_mgmt_tx_status_ext()
	nl80211_frame_tx_status()
	genlmsg_multicast_netns()
	genlmsg_multicast_netns_filtered()
	nlmsg_multicast_filtered()
	netlink_broadcast_filtered()
	do_one_broadcast()
	netlink_broadcast_deliver()
	__netlink_sendskb()
	netlink_deliver_tap()
	__netlink_deliver_tap_skb()
	dev_queue_xmit()
	__dev_queue_xmit() ; with IRQS disabled
	...
	spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags)

	issues the warning (as reported by syzbot reproducer):

	WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120

	Fix this by implementing a two-phase skb reclamation in
	'ieee80211_do_stop()', where actual work is performed
	outside of a section with interrupts disabled.

	The Linux kernel CVE team has assigned CVE-2024-47713 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 4.19.323 with commit 07eb0bd7b0a8abed9d45e0f567c9af1dc83e5268
	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 5.4.285 with commit 04f75f5bae33349283d6886901d9acd2f110c024
	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 5.10.227 with commit f232916fab67ca1c3425926df4a866e59ff26908
	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 5.15.168 with commit acb53a716e492a02479345157c43f21edc8bc64b
	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 6.1.113 with commit db5ca4b42ccfa42d2af7b335ff12578e57775c02
	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 6.6.54 with commit 058c9026ad79dc98572442fd4c7e9a36aba6f596
	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 6.10.13 with commit eab272972cffff9cd973b8e4055a8e81c64f7e6a
	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 6.11.2 with commit ad4b7068b101fbbb4a9ca4b99b25eb051a9482ec
	Issue introduced in 2.6.32 with commit 5061b0c2b9066de426fbc63f1278d2210e789412 and fixed in 6.12 with commit 9d301de12da6e1bb069a9835c38359b8e8135121

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47713
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mac80211/iface.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/07eb0bd7b0a8abed9d45e0f567c9af1dc83e5268
	https://git.kernel.org/stable/c/04f75f5bae33349283d6886901d9acd2f110c024
	https://git.kernel.org/stable/c/f232916fab67ca1c3425926df4a866e59ff26908
	https://git.kernel.org/stable/c/acb53a716e492a02479345157c43f21edc8bc64b
	https://git.kernel.org/stable/c/db5ca4b42ccfa42d2af7b335ff12578e57775c02
	https://git.kernel.org/stable/c/058c9026ad79dc98572442fd4c7e9a36aba6f596
	https://git.kernel.org/stable/c/eab272972cffff9cd973b8e4055a8e81c64f7e6a
	https://git.kernel.org/stable/c/ad4b7068b101fbbb4a9ca4b99b25eb051a9482ec
	https://git.kernel.org/stable/c/9d301de12da6e1bb069a9835c38359b8e8135121