From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 179552E62B for ; Mon, 18 Mar 2024 10:08:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710756521; cv=none; b=h5NvNcvKHFsHJW1WHfzOKGUdV9Mj27x8inIKbF0ZdzzfFaM+cyfNfOnU3RupDKi5XPivLPwcSqaGHBYXHHfqsTe8LfFtiykmTsPRb+G6ltszprVVC0xrYXshwKPjhah5CVYr6/pGo6xfcfMii0WjLHcbfJjzZPOCMM/l/LvbPyU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710756521; c=relaxed/simple; bh=CXb2B+I96DjKSURtfamnAUE5cmIToa7QMn8Sj0wYpWc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=WTFMgUjn/aHbfTrrStpW3EqMXMGa60Lk5YwJeoPZrCSimGtGF3HBLRsmVjAHQFDFnn6fZq9nk8N1xLrxgt3Ob7BxL1kDM2uoZCVJeo4T8k81CKopO4KIf6vc+DTLRP1I59hqFKkbU5nj7PcyGCbZoLNTDd2XP5pB5i2BIEPijHE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=iG6jPcOW; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="iG6jPcOW" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4611FC433C7; Mon, 18 Mar 2024 10:08:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1710756520; bh=CXb2B+I96DjKSURtfamnAUE5cmIToa7QMn8Sj0wYpWc=; h=From:To:Cc:Subject:Date:Reply-to:From; b=iG6jPcOW6cdy+nsd5+4bqsBO5IIh5SNylGiJhLyrv23DWA9L6+kQN/0XJrAQh6EcU YaTQKjLRktCh+3AAzK7DKa3m5ztfvfVLKY1vb5LKDVrLMJ/A84EIZLpjg+/EBhC6kH P8rJS9axCpafLcX3Xw805CH5MmubKkhn1lLSBBlPFD8rJNadljArcr/yw//Crds9Ef f+72m/rDkHztXdQFtWhveJPsfjdJgxBU28a7HzrLgTq7dTj/K9hwtGdjXSmuSj4KUv n3uod/JPHvUw0eSTpda69ev+3reW7Gz01bee12lHRCJCw004WkrUfE2kVo7qBVN003 Jk9Lzaes5bG6w== From: Lee Jones To: linux-cve-announce@vger.kernel.org Cc: Lee Jones Subject: CVE-2024-26633: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() Date: Mon, 18 Mar 2024 10:08:06 +0000 Message-ID: <20240318100758.2828621-16-lee@kernel.org> X-Mailer: git-send-email 2.44.0.291.gc1ea87d7ee-goog Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=7075; i=lee@kernel.org; h=from:subject; bh=CXb2B+I96DjKSURtfamnAUE5cmIToa7QMn8Sj0wYpWc=; b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl+BJ/lnjdOwjBVvVJNIUW/McGPZtcTrPBHFLPp zNQa1UzhL6JAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZfgSfwAKCRBRr4ovh/x3 YSpfEACrr+eYczWyXN+JTQIqzW8V9bgFAighT3a5+Vb3QTKlGzW9+bq4D4IyDqoFU5ryDDI2f7+ UmyBvfHp7Z8n+NVG1v7XvjB60bAdjgFFvKedNh8N5x4Q5XT8vLDRz/ZChxsv40JnbgvdDJKyp3+ XDbhSTu+m8rFET6abDrqsyEeTUd6R8SPnkCDuk0xx7+WLuHRc/wUKyvKyGjbmt1hVSHLKLD2ieC LJ3zqNDSBrt0nRTK+bM1rCAavvLJnruQT+EOtAqIRR6IY8Sg3L7v17lBVAgyf86GEK4eOWxMp2j pNQX/YBeKFm1Z762tSqIYIwaRHHUrvzsrN8SRDz5/8LaGD3hrQfVepTj5YfkCiMiqLap5GuB4wt 9xf6hQgZlo173Dlh5CTyAkdG5IIWy8klh0SLzUDuit4JUAFgV21wDM4mzolP3+RS6nZIJoA7HBm WImhlII2UhKxErkMT6LMxD7zu2hr1H3/CXeb7U2BEN7tnqBKE/Qjn2dt2LxWdRH+hIvf2A9w4yx sgkgyzocOZOqTg4R2qK4kpWtCifLNlY8nqufG0ljLeNQmgd++lOYRyrotN1aSp37KUqgrnwOTXr MhWKWgIZt80YUgI/q3obpdxXhez8NZ5HrAA5y68hiWNmMu4auBRonaLGoAl1/851IvKLieTg5Q9 K3mpb5mhSxhJXrA== X-Developer-Key: i=lee@kernel.org; a=openpgp; fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. Reading frag_off can only be done if we pulled enough bytes to skb->head. Currently we might access garbage. [1] BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098 __pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655 pskb_may_pull_reason include/linux/skbuff.h:2673 [inline] pskb_may_pull include/linux/skbuff.h:2681 [inline] ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 7345 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00024-gac865f00af29 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 The Linux kernel CVE team has assigned CVE-2024-26633 to this issue. Affected and fixed versions =========================== Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 4.19.306 with commit 135414f300c5 Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 5.4.268 with commit 3f15ba3dc14e Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 5.10.209 with commit da23bd709b46 Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 5.15.148 with commit 4329426cf6b8 Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 6.1.75 with commit 62a1fedeb14c Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 6.6.14 with commit 687c5d52fe53 Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 6.7.2 with commit ba8d904c2742 Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 6.8 with commit d375b98e0248 Please see https://www.kernel.org or a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-26633 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ipv6/ip6_tunnel.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/135414f300c5db995e2a2f3bf0f455de9d014aee https://git.kernel.org/stable/c/3f15ba3dc14e6ee002ea01b4faddc3d49200377c https://git.kernel.org/stable/c/da23bd709b46168f7dfc36055801011222b076cd https://git.kernel.org/stable/c/4329426cf6b8e22b798db2331c7ef1dd2a9c748d https://git.kernel.org/stable/c/62a1fedeb14c7ac0947ef33fadbabd35ed2400a2 https://git.kernel.org/stable/c/687c5d52fe53e602e76826dbd4d7af412747e183 https://git.kernel.org/stable/c/ba8d904c274268b18ef3dc11d3ca7b24a96cb087 https://git.kernel.org/stable/c/d375b98e0248980681e5e56b712026174d617198