cve/published/2024/CVE-2024-57802.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57802: netrom: check buffer length before accessing it

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netrom: check buffer length before accessing it

 Syzkaller reports an uninit value read from ax25cmp when sending raw message
 through ieee802154 implementation.

 =====================================================
 BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119
  ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119
  nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601
  nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774
  nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144
  __netdev_start_xmit include/linux/netdevice.h:4940 [inline]
  netdev_start_xmit include/linux/netdevice.h:4954 [inline]
  xmit_one net/core/dev.c:3548 [inline]
  dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
  __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
  dev_queue_xmit include/linux/netdevice.h:3134 [inline]
  raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299
  ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg net/socket.c:745 [inline]
  ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
  __sys_sendmsg net/socket.c:2667 [inline]
  __do_sys_sendmsg net/socket.c:2676 [inline]
  __se_sys_sendmsg net/socket.c:2674 [inline]
  __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x63/0x6b

 Uninit was created at:
  slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
  slab_alloc_node mm/slub.c:3478 [inline]
  kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
  __alloc_skb+0x318/0x740 net/core/skbuff.c:651
  alloc_skb include/linux/skbuff.h:1286 [inline]
  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334
  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780
  sock_alloc_send_skb include/net/sock.h:1884 [inline]
  raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282
  ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg net/socket.c:745 [inline]
  ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
  __sys_sendmsg net/socket.c:2667 [inline]
  __do_sys_sendmsg net/socket.c:2676 [inline]
  __se_sys_sendmsg net/socket.c:2674 [inline]
  __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x63/0x6b

 CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
 =====================================================

 This issue occurs because the skb buffer is too small, and it's actual
 allocation is aligned. This hides an actual issue, which is that nr_route_frame
 does not validate the buffer size before using it.

 Fix this issue by checking skb->len before accessing any fields in skb->data.

 Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

 The Linux kernel CVE team has assigned CVE-2024-57802 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.289 with commit 64e9f54a14f2887be8634fb85cd2f13bec18a184
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.233 with commit cf6befa7c569787f53440274bbed1405fc07738d
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.176 with commit 769e36c2119a51070faf58819c58274f57a088db
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.124 with commit 78a110332ae268d0b005247c3b9a7d703b875c49
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.70 with commit f647d72245aadce30618f4c8fd3803904418dbec
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.12.9 with commit 3ba7f80d98d4965349cfcd258dd78418496c1625
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.13 with commit a4fd163aed2edd967a244499754dec991d8b4c7d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57802
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/netrom/nr_route.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/64e9f54a14f2887be8634fb85cd2f13bec18a184
 	https://git.kernel.org/stable/c/cf6befa7c569787f53440274bbed1405fc07738d
 	https://git.kernel.org/stable/c/769e36c2119a51070faf58819c58274f57a088db
 	https://git.kernel.org/stable/c/78a110332ae268d0b005247c3b9a7d703b875c49
 	https://git.kernel.org/stable/c/f647d72245aadce30618f4c8fd3803904418dbec
 	https://git.kernel.org/stable/c/3ba7f80d98d4965349cfcd258dd78418496c1625
 	https://git.kernel.org/stable/c/a4fd163aed2edd967a244499754dec991d8b4c7d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57802: netrom: check buffer length before accessing it

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netrom: check buffer length before accessing it

	Syzkaller reports an uninit value read from ax25cmp when sending raw message
	through ieee802154 implementation.

	=====================================================
	BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119
	ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119
	nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601
	nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774
	nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144
	__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
	netdev_start_xmit include/linux/netdevice.h:4954 [inline]
	xmit_one net/core/dev.c:3548 [inline]
	dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
	__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
	dev_queue_xmit include/linux/netdevice.h:3134 [inline]
	raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299
	ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg net/socket.c:745 [inline]
	____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
	___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
	__sys_sendmsg net/socket.c:2667 [inline]
	__do_sys_sendmsg net/socket.c:2676 [inline]
	__se_sys_sendmsg net/socket.c:2674 [inline]
	__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x63/0x6b

	Uninit was created at:
	slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
	slab_alloc_node mm/slub.c:3478 [inline]
	kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523
	kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
	__alloc_skb+0x318/0x740 net/core/skbuff.c:651
	alloc_skb include/linux/skbuff.h:1286 [inline]
	alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334
	sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780
	sock_alloc_send_skb include/net/sock.h:1884 [inline]
	raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282
	ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg net/socket.c:745 [inline]
	____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
	___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
	__sys_sendmsg net/socket.c:2667 [inline]
	__do_sys_sendmsg net/socket.c:2676 [inline]
	__se_sys_sendmsg net/socket.c:2674 [inline]
	__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x63/0x6b

	CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
	=====================================================

	This issue occurs because the skb buffer is too small, and it's actual
	allocation is aligned. This hides an actual issue, which is that nr_route_frame
	does not validate the buffer size before using it.

	Fix this issue by checking skb->len before accessing any fields in skb->data.

	Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

	The Linux kernel CVE team has assigned CVE-2024-57802 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.289 with commit 64e9f54a14f2887be8634fb85cd2f13bec18a184
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.233 with commit cf6befa7c569787f53440274bbed1405fc07738d
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.176 with commit 769e36c2119a51070faf58819c58274f57a088db
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.124 with commit 78a110332ae268d0b005247c3b9a7d703b875c49
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.70 with commit f647d72245aadce30618f4c8fd3803904418dbec
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.12.9 with commit 3ba7f80d98d4965349cfcd258dd78418496c1625
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.13 with commit a4fd163aed2edd967a244499754dec991d8b4c7d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57802
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/netrom/nr_route.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/64e9f54a14f2887be8634fb85cd2f13bec18a184
	https://git.kernel.org/stable/c/cf6befa7c569787f53440274bbed1405fc07738d
	https://git.kernel.org/stable/c/769e36c2119a51070faf58819c58274f57a088db
	https://git.kernel.org/stable/c/78a110332ae268d0b005247c3b9a7d703b875c49
	https://git.kernel.org/stable/c/f647d72245aadce30618f4c8fd3803904418dbec
	https://git.kernel.org/stable/c/3ba7f80d98d4965349cfcd258dd78418496c1625
	https://git.kernel.org/stable/c/a4fd163aed2edd967a244499754dec991d8b4c7d