From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8AE5314D43E for ; Thu, 29 Feb 2024 15:53:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709222012; cv=none; b=hufAa2ELGjMZvLLJkG6DSVa8P3UBkiMoiD+0jmU+Lze5D2By8kwqzyxblJMf2L5FhaBDDJ6aVdCAYHdclIBZAu/KvHvoYceiEAcPFVSxfJbhVrpEC2U8XBVRDybR7dogZIkccUPrjCBT1kpueFYXuKSXEvYqElWm8hysTMNHFLE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709222012; c=relaxed/simple; bh=nq+b7LDHYawl4VGZFco7Ea0v/3mM3JOyo8m77yVM0lw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=DPHMHna32nFSYUJLKgY2Zfj35Hii9ACOkJuFICevzrPEft9+0zdNLzGsllnoPQajCilwoZAU1pGtrMI69YsAcWbiBBpe60lO0+/195Pd70Sq9sg/17Ai/Q45MWl+yvTtE4HD55tG6X/36f9aFyPYZrtuCMUSPb/9k8kNWtVdqPw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=GRamzOIa; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="GRamzOIa" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6A96EC43390; Thu, 29 Feb 2024 15:53:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1709222012; bh=nq+b7LDHYawl4VGZFco7Ea0v/3mM3JOyo8m77yVM0lw=; h=From:To:Cc:Subject:Date:Reply-to:From; b=GRamzOIaMgCLnxkS41QtM/ATe2f2lFaJGrSaAnIsXHH6/Ak1eXGSkRf/ZnoB4VEbZ DsMxqlArEqRy9PrUJApDt5fz2twSm1vEfhBzM7UqYs6kioSn3mKmILVHb5E9Bqxb/W 8toF6caGc2+6zSkBS5YEZ48inx60lNma75OVFKds8htAqbHkl+FLYeuw4axRFXL/mT ALI+Vje5bY87wcCfawFbo7NXpn7sVZ4BKk5t1cLwztNb36Je3DVM0vo84uPEjAFkFU lwCHFOtgMezMjJ2qGHF2vY/CO4kuzFPoNKaX3pZi48b5atLADPo4GhnGLydF0JKyHx qcBK0ErfhYMcw== From: Lee Jones To: linux-cve-announce@vger.kernel.org Cc: Lee Jones Subject: CVE-2024-26611: xsk: fix usage of multi-buffer BPF helpers for ZC XDP Date: Thu, 29 Feb 2024 15:53:02 +0000 Message-ID: <20240229155245.1571576-43-lee@kernel.org> X-Mailer: git-send-email 2.44.0.rc1.240.g4c46232300-goog Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=4842; i=lee@kernel.org; h=from:subject; bh=nq+b7LDHYawl4VGZFco7Ea0v/3mM3JOyo8m77yVM0lw=; b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl4KhPcwt3p69jPnTk4tcaVknsZHceYuqZi8Dal lJkJ73vM3GJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZeCoTwAKCRBRr4ovh/x3 Yf09EACxZBQzbGUla8F4VrEQTr9gnzB8YPiaMWliPrln2QnAu6fOgeYaxwGwpCuGl5OY3biikDc hcMTxruuZIWnv6s7c+/Ltm0FDM9GJMtwDW1WTbbnsNGCoepA0Hu55ncHbnc0Ksi9xen710Wy7HT Re6wFgzMcwVVPBhX9ZtruRuwgpQe+i3yLaOrBgLwlWzhcx0q2WdWlMJGDAKbZyMS/4E9bh6WllY 6DaNzrsHGjrEiqM13ul8DtyQls+7oJywFLnfeEF9sqgcZDAfgbo6Bgm3mO6jFHICG0dFdUAQ88n XqIZiTZDqEvT1RQo00FEr8WZq41V43elenjYQC5xxK6A42UZ7QhLgE4es5P2agOQQTPQLhC2jbb kiCNK2C/v+7XxuebZEgSj4svv+bUccbAMGM/ZrDODDd/D66rNvz2Dp9fpX24Mv72CEwt5DG9w+w /7pk+lUqInHXCe0WKk31WO3ahR4jIpBCpQdjDWqW2/SDNLfGsSLWy8Y8kT/pgICMPweqfj4wbBN PAklTN04zl2J9R9dpXIx1Bkjk1IidPsAhttbYYkk1/zx//2ptxbqWmjewvQX0aQez/nnupmL8lL 1uXz8cmh+PofOq9JO3XR9Z3UjD0CyDKFzKOOlmaR2brZDjlveaLtGwqFlfcr1AsZlGvf5gRB5Bb tGSD4vrh3mKd29A== X-Developer-Key: i=lee@kernel.org; a=openpgp; fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: xsk: fix usage of multi-buffer BPF helpers for ZC XDP Currently when packet is shrunk via bpf_xdp_adjust_tail() and memory type is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens: [1136314.192256] BUG: kernel NULL pointer dereference, address: 0000000000000034 [1136314.203943] #PF: supervisor read access in kernel mode [1136314.213768] #PF: error_code(0x0000) - not-present page [1136314.223550] PGD 0 P4D 0 [1136314.230684] Oops: 0000 [#1] PREEMPT SMP NOPTI [1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ #257 [1136314.250469] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [1136314.265615] RIP: 0010:__xdp_return+0x6c/0x210 [1136314.274653] Code: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 00 00 f0 41 ff 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86 [1136314.302907] RSP: 0018:ffffc900089f8db0 EFLAGS: 00010246 [1136314.312967] RAX: ffffc9003168aed0 RBX: ffff8881c3300000 RCX: 0000000000000000 [1136314.324953] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffc9003168c000 [1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09: 0000000000010000 [1136314.348844] R10: ffffc9000e495000 R11: 0000000000000040 R12: 0000000000000001 [1136314.360706] R13: 0000000000000524 R14: ffffc9003168aec0 R15: 0000000000000001 [1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000) knlGS:0000000000000000 [1136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1136314.396532] CR2: 0000000000000034 CR3: 00000001aa912002 CR4: 00000000007706f0 [1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1136314.420173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1136314.431890] PKRU: 55555554 [1136314.439143] Call Trace: [1136314.446058] [1136314.452465] ? __die+0x20/0x70 [1136314.459881] ? page_fault_oops+0x15b/0x440 [1136314.468305] ? exc_page_fault+0x6a/0x150 [1136314.476491] ? asm_exc_page_fault+0x22/0x30 [1136314.484927] ? __xdp_return+0x6c/0x210 [1136314.492863] bpf_xdp_adjust_tail+0x155/0x1d0 [1136314.501269] bpf_prog_ccc47ae29d3b6570_xdp_sock_prog+0x15/0x60 [1136314.511263] ice_clean_rx_irq_zc+0x206/0xc60 [ice] [1136314.520222] ? ice_xmit_zc+0x6e/0x150 [ice] [1136314.528506] ice_napi_poll+0x467/0x670 [ice] [1136314.536858] ? ttwu_do_activate.constprop.0+0x8f/0x1a0 [1136314.546010] __napi_poll+0x29/0x1b0 [1136314.553462] net_rx_action+0x133/0x270 [1136314.561619] __do_softirq+0xbe/0x28e [1136314.569303] do_softirq+0x3f/0x60 This comes from __xdp_return() call with xdp_buff argument passed as NULL which is supposed to be consumed by xsk_buff_free() call. To address this properly, in ZC case, a node that represents the frag being removed has to be pulled out of xskb_list. Introduce appropriate xsk helpers to do such node operation and use them accordingly within bpf_xdp_adjust_tail(). The Linux kernel CVE team has assigned CVE-2024-26611 to this issue. Affected and fixed versions =========================== Issue introduced in 6.6 with commit 24ea50127ecf and fixed in 6.6.15 with commit 82ee4781b820 Issue introduced in 6.6 with commit 24ea50127ecf and fixed in 6.7.3 with commit 5cd781f7216f Issue introduced in 6.6 with commit 24ea50127ecf and fixed in 6.8-rc2 with commit c5114710c8ce Please see https://www.kernel.org or a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-26611 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/net/xdp_sock_drv.h net/core/filter.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/82ee4781b8200e44669a354140d5c6bd966b8768 https://git.kernel.org/stable/c/5cd781f7216f980207af09c5e0e1bb1eda284540 https://git.kernel.org/stable/c/c5114710c8ce86b8317e9b448f4fd15c711c2a82