cve/published/2024/CVE-2024-50142.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50142: xfrm: validate new SA's prefixlen using SA family when sel.family is unset

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 xfrm: validate new SA's prefixlen using SA family when sel.family is unset

 This expands the validation introduced in commit 07bf7908950a ("xfrm:
 Validate address prefix lengths in the xfrm selector.")

 syzbot created an SA with
     usersa.sel.family = AF_UNSPEC
     usersa.sel.prefixlen_s = 128
     usersa.family = AF_INET

 Because of the AF_UNSPEC selector, verify_newsa_info doesn't put
 limits on prefixlen_{s,d}. But then copy_from_user_state sets
 x->sel.family to usersa.family (AF_INET). Do the same conversion in
 verify_newsa_info before validating prefixlen_{s,d}, since that's how
 prefixlen is going to be used later on.

 The Linux kernel CVE team has assigned CVE-2024-50142 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 4.19.323 with commit f31398570acf0f0804c644006f7bfa9067106b0a
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.285 with commit 401ad99a5ae7180dd9449eac104cb755f442e7f3
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.229 with commit 8df5cd51fd70c33aa1776e5cbcd82b0a86649d73
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.170 with commit 2d08a6c31c65f23db71a5385ee9cf9d8f9a67a71
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.115 with commit bce1afaa212ec380bf971614f70909a27882b862
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.59 with commit 7d9868180bd1e4cf37e7c5067362658971162366
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.11.6 with commit e68dd80ba498265d2266b12dc3459164f4ff0c4a
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.12 with commit 3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50142
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/xfrm/xfrm_user.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f31398570acf0f0804c644006f7bfa9067106b0a
 	https://git.kernel.org/stable/c/401ad99a5ae7180dd9449eac104cb755f442e7f3
 	https://git.kernel.org/stable/c/8df5cd51fd70c33aa1776e5cbcd82b0a86649d73
 	https://git.kernel.org/stable/c/2d08a6c31c65f23db71a5385ee9cf9d8f9a67a71
 	https://git.kernel.org/stable/c/bce1afaa212ec380bf971614f70909a27882b862
 	https://git.kernel.org/stable/c/7d9868180bd1e4cf37e7c5067362658971162366
 	https://git.kernel.org/stable/c/e68dd80ba498265d2266b12dc3459164f4ff0c4a
 	https://git.kernel.org/stable/c/3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50142: xfrm: validate new SA's prefixlen using SA family when sel.family is unset

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	xfrm: validate new SA's prefixlen using SA family when sel.family is unset

	This expands the validation introduced in commit 07bf7908950a ("xfrm:
	Validate address prefix lengths in the xfrm selector.")

	syzbot created an SA with
	usersa.sel.family = AF_UNSPEC
	usersa.sel.prefixlen_s = 128
	usersa.family = AF_INET

	Because of the AF_UNSPEC selector, verify_newsa_info doesn't put
	limits on prefixlen_{s,d}. But then copy_from_user_state sets
	x->sel.family to usersa.family (AF_INET). Do the same conversion in
	verify_newsa_info before validating prefixlen_{s,d}, since that's how
	prefixlen is going to be used later on.

	The Linux kernel CVE team has assigned CVE-2024-50142 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 4.19.323 with commit f31398570acf0f0804c644006f7bfa9067106b0a
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.285 with commit 401ad99a5ae7180dd9449eac104cb755f442e7f3
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.229 with commit 8df5cd51fd70c33aa1776e5cbcd82b0a86649d73
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.170 with commit 2d08a6c31c65f23db71a5385ee9cf9d8f9a67a71
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.115 with commit bce1afaa212ec380bf971614f70909a27882b862
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.59 with commit 7d9868180bd1e4cf37e7c5067362658971162366
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.11.6 with commit e68dd80ba498265d2266b12dc3459164f4ff0c4a
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.12 with commit 3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50142
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/xfrm/xfrm_user.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f31398570acf0f0804c644006f7bfa9067106b0a
	https://git.kernel.org/stable/c/401ad99a5ae7180dd9449eac104cb755f442e7f3
	https://git.kernel.org/stable/c/8df5cd51fd70c33aa1776e5cbcd82b0a86649d73
	https://git.kernel.org/stable/c/2d08a6c31c65f23db71a5385ee9cf9d8f9a67a71
	https://git.kernel.org/stable/c/bce1afaa212ec380bf971614f70909a27882b862
	https://git.kernel.org/stable/c/7d9868180bd1e4cf37e7c5067362658971162366
	https://git.kernel.org/stable/c/e68dd80ba498265d2266b12dc3459164f4ff0c4a
	https://git.kernel.org/stable/c/3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563