cve/published/2024/CVE-2024-53141.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53141: netfilter: ipset: add missing range check in bitmap_ip_uadt

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: ipset: add missing range check in bitmap_ip_uadt

 When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
 the values of ip and ip_to are slightly swapped. Therefore, the range check
 for ip should be done later, but this part is missing and it seems that the
 vulnerability occurs.

 So we should add missing range checks and remove unnecessary range checks.

 The Linux kernel CVE team has assigned CVE-2024-53141 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 4.19.325 with commit 3c20b5948f119ae61ee35ad8584d666020c91581
 	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 5.4.287 with commit 78b0f2028f1043227a8eb0c41944027fc6a04596
 	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 5.10.231 with commit 2e151b8ca31607d14fddc4ad0f14da0893e1a7c7
 	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 5.15.174 with commit e67471437ae9083fa73fa67eee1573fec1b7c8cf
 	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 6.1.120 with commit 7ffef5e5d5eeecd9687204a5ec2d863752aafb7e
 	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 6.6.64 with commit 856023ef032d824309abd5c747241dffa33aae8c
 	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 6.11.11 with commit 591efa494a1cf649f50a35def649c43ae984cd03
 	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 6.12.2 with commit 15794835378ed56fb9bacc6a5dd3b9f33520604e
 	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 6.13 with commit 35f56c554eb1b56b77b3cf197a6b00922d49033d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53141
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/netfilter/ipset/ip_set_bitmap_ip.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3c20b5948f119ae61ee35ad8584d666020c91581
 	https://git.kernel.org/stable/c/78b0f2028f1043227a8eb0c41944027fc6a04596
 	https://git.kernel.org/stable/c/2e151b8ca31607d14fddc4ad0f14da0893e1a7c7
 	https://git.kernel.org/stable/c/e67471437ae9083fa73fa67eee1573fec1b7c8cf
 	https://git.kernel.org/stable/c/7ffef5e5d5eeecd9687204a5ec2d863752aafb7e
 	https://git.kernel.org/stable/c/856023ef032d824309abd5c747241dffa33aae8c
 	https://git.kernel.org/stable/c/591efa494a1cf649f50a35def649c43ae984cd03
 	https://git.kernel.org/stable/c/15794835378ed56fb9bacc6a5dd3b9f33520604e
 	https://git.kernel.org/stable/c/35f56c554eb1b56b77b3cf197a6b00922d49033d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53141: netfilter: ipset: add missing range check in bitmap_ip_uadt

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: ipset: add missing range check in bitmap_ip_uadt

	When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
	the values of ip and ip_to are slightly swapped. Therefore, the range check
	for ip should be done later, but this part is missing and it seems that the
	vulnerability occurs.

	So we should add missing range checks and remove unnecessary range checks.

	The Linux kernel CVE team has assigned CVE-2024-53141 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 4.19.325 with commit 3c20b5948f119ae61ee35ad8584d666020c91581
	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 5.4.287 with commit 78b0f2028f1043227a8eb0c41944027fc6a04596
	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 5.10.231 with commit 2e151b8ca31607d14fddc4ad0f14da0893e1a7c7
	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 5.15.174 with commit e67471437ae9083fa73fa67eee1573fec1b7c8cf
	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 6.1.120 with commit 7ffef5e5d5eeecd9687204a5ec2d863752aafb7e
	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 6.6.64 with commit 856023ef032d824309abd5c747241dffa33aae8c
	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 6.11.11 with commit 591efa494a1cf649f50a35def649c43ae984cd03
	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 6.12.2 with commit 15794835378ed56fb9bacc6a5dd3b9f33520604e
	Issue introduced in 2.6.39 with commit 72205fc68bd13109576aa6c4c12c740962d28a6c and fixed in 6.13 with commit 35f56c554eb1b56b77b3cf197a6b00922d49033d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53141
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/netfilter/ipset/ip_set_bitmap_ip.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3c20b5948f119ae61ee35ad8584d666020c91581
	https://git.kernel.org/stable/c/78b0f2028f1043227a8eb0c41944027fc6a04596
	https://git.kernel.org/stable/c/2e151b8ca31607d14fddc4ad0f14da0893e1a7c7
	https://git.kernel.org/stable/c/e67471437ae9083fa73fa67eee1573fec1b7c8cf
	https://git.kernel.org/stable/c/7ffef5e5d5eeecd9687204a5ec2d863752aafb7e
	https://git.kernel.org/stable/c/856023ef032d824309abd5c747241dffa33aae8c
	https://git.kernel.org/stable/c/591efa494a1cf649f50a35def649c43ae984cd03
	https://git.kernel.org/stable/c/15794835378ed56fb9bacc6a5dd3b9f33520604e
	https://git.kernel.org/stable/c/35f56c554eb1b56b77b3cf197a6b00922d49033d