| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024040302-CVE-2024-26752-cb0a@gregkh>
Date: Wed, 3 Apr 2024 19:31:19 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-26752: l2tp: pass correct message length to ip6_append_data
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
l2tp: pass correct message length to ip6_append_data
l2tp_ip6_sendmsg needs to avoid accounting for the transport header
twice when splicing more data into an already partially-occupied skbuff.
To manage this, we check whether the skbuff contains data using
skb_queue_empty when deciding how much data to append using
ip6_append_data.
However, the code which performed the calculation was incorrect:
ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;
..due to C operator precedence, this ends up setting ulen to
transhdrlen for messages with a non-zero length, which results in
corrupted packets on the wire.
Add parentheses to correct the calculation in line with the original
intent.
The Linux kernel CVE team has assigned CVE-2024-26752 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.19.296 with commit 559d697c5d07 and fixed in 4.19.308 with commit 4c3ce64bc9d3
Issue introduced in 5.4.258 with commit 1fc793d68d50 and fixed in 5.4.270 with commit c1d3a84a67db
Issue introduced in 5.10.198 with commit 96b2e1090397 and fixed in 5.10.211 with commit dcb4d1426859
Issue introduced in 5.15.135 with commit cd1189956393 and fixed in 5.15.150 with commit 0da15a703951
Issue introduced in 6.1.57 with commit f6a7182179c0 and fixed in 6.1.80 with commit 13cd1daeea84
Issue introduced in 6.6 with commit 9d4c75800f61 and fixed in 6.6.19 with commit 804bd8650a3a
Issue introduced in 6.6 with commit 9d4c75800f61 and fixed in 6.7.7 with commit 83340c66b498
Issue introduced in 6.6 with commit 9d4c75800f61 and fixed in 6.8 with commit 359e54a93ab4
Issue introduced in 4.14.327 with commit 7626b9fed530
Issue introduced in 6.5.7 with commit fe80658c08e3
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-26752
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/l2tp/l2tp_ip6.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae
https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5
https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243
https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d
https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500
https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56
https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6
https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79
Powered by blists - more mailing lists