lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2024052112-CVE-2023-52843-6515@gregkh>
Date: Tue, 21 May 2024 17:32:19 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2023-52843: llc: verify mac len before reading mac header

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

llc: verify mac len before reading mac header

LLC reads the mac header with eth_hdr without verifying that the skb
has an Ethernet header.

Syzbot was able to enter llc_rcv on a tun device. Tun can insert
packets without mac len and with user configurable skb->protocol
(passing a tun_pi header when not configuring IFF_NO_PI).

    BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
    BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
    llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
    llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
    llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218
    __netif_receive_skb_one_core net/core/dev.c:5523 [inline]
    __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637
    netif_receive_skb_internal net/core/dev.c:5723 [inline]
    netif_receive_skb+0x58/0x660 net/core/dev.c:5782
    tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
    tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002

Add a mac_len test before all three eth_hdr(skb) calls under net/llc.

There are further uses in include/net/llc_pdu.h. All these are
protected by a test skb->protocol == ETH_P_802_2. Which does not
protect against this tun scenario.

But the mac_len test added in this patch in llc_fixup_skb will
indirectly protect those too. That is called from llc_rcv before any
other LLC code.

It is tempting to just add a blanket mac_len check in llc_rcv, but
not sure whether that could break valid LLC paths that do not assume
an Ethernet header. 802.2 LLC may be used on top of non-802.3
protocols in principle. The below referenced commit shows that used
to, on top of Token Ring.

At least one of the three eth_hdr uses goes back to before the start
of git history. But the one that syzbot exercises is introduced in
this commit. That commit is old enough (2008), that effectively all
stable kernels should receive this.

The Linux kernel CVE team has assigned CVE-2023-52843 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.25 with commit f83f1768f833 and fixed in 4.14.330 with commit 900a4418e3f6
	Issue introduced in 2.6.25 with commit f83f1768f833 and fixed in 4.19.299 with commit 9a3f9054a522
	Issue introduced in 2.6.25 with commit f83f1768f833 and fixed in 5.4.261 with commit cbdcdf42d15d
	Issue introduced in 2.6.25 with commit f83f1768f833 and fixed in 5.10.201 with commit 3a2653828ffc
	Issue introduced in 2.6.25 with commit f83f1768f833 and fixed in 5.15.139 with commit 352887b3edd0
	Issue introduced in 2.6.25 with commit f83f1768f833 and fixed in 6.1.63 with commit f980e9a57dfb
	Issue introduced in 2.6.25 with commit f83f1768f833 and fixed in 6.5.12 with commit 0a720d0259ad
	Issue introduced in 2.6.25 with commit f83f1768f833 and fixed in 6.6.2 with commit ff5cb6a4f0c6
	Issue introduced in 2.6.25 with commit f83f1768f833 and fixed in 6.7 with commit 7b3ba18703a6

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52843
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/llc/llc_input.c
	net/llc/llc_s_ac.c
	net/llc/llc_station.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/900a4418e3f66a32db6baaf23f92b99c20ae6535
	https://git.kernel.org/stable/c/9a3f9054a5227d7567cba1fb821df48ccecad10c
	https://git.kernel.org/stable/c/cbdcdf42d15dac74c7287679fb2a9d955f8feb1f
	https://git.kernel.org/stable/c/3a2653828ffc6101aef80bf58d5b77484239f779
	https://git.kernel.org/stable/c/352887b3edd007cf9b0abc30fe9d98622acd859b
	https://git.kernel.org/stable/c/f980e9a57dfb9530f1f4ee41a2420f2a256d7b29
	https://git.kernel.org/stable/c/0a720d0259ad3521ec6c9e4199f9f6fc75bac77a
	https://git.kernel.org/stable/c/ff5cb6a4f0c6d7fbdc84858323fb4b7af32cfd79
	https://git.kernel.org/stable/c/7b3ba18703a63f6fd487183b9262b08e5632da1b

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ