[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024053042-CVE-2024-36937-be12@gregkh>
Date: Thu, 30 May 2024 17:29:29 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-36937: xdp: use flags field to disambiguate broadcast redirect
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
xdp: use flags field to disambiguate broadcast redirect
When redirecting a packet using XDP, the bpf_redirect_map() helper will set
up the redirect destination information in struct bpf_redirect_info (using
the __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()
function will read this information after the XDP program returns and pass
the frame on to the right redirect destination.
When using the BPF_F_BROADCAST flag to do multicast redirect to a whole
map, __bpf_xdp_redirect_map() sets the 'map' pointer in struct
bpf_redirect_info to point to the destination map to be broadcast. And
xdp_do_redirect() reacts to the value of this map pointer to decide whether
it's dealing with a broadcast or a single-value redirect. However, if the
destination map is being destroyed before xdp_do_redirect() is called, the
map pointer will be cleared out (by bpf_clear_redirect_map()) without
waiting for any XDP programs to stop running. This causes xdp_do_redirect()
to think that the redirect was to a single target, but the target pointer
is also NULL (since broadcast redirects don't have a single target), so
this causes a crash when a NULL pointer is passed to dev_map_enqueue().
To fix this, change xdp_do_redirect() to react directly to the presence of
the BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info
to disambiguate between a single-target and a broadcast redirect. And only
read the 'map' pointer if the broadcast flag is set, aborting if that has
been cleared out in the meantime. This prevents the crash, while keeping
the atomic (cmpxchg-based) clearing of the map pointer itself, and without
adding any more checks in the non-broadcast fast path.
The Linux kernel CVE team has assigned CVE-2024-36937 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.14 with commit e624d4ed4aa8 and fixed in 5.15.159 with commit 12481f30128f
Issue introduced in 5.14 with commit e624d4ed4aa8 and fixed in 6.1.91 with commit 272bfb019f3c
Issue introduced in 5.14 with commit e624d4ed4aa8 and fixed in 6.6.31 with commit e22e25820fa0
Issue introduced in 5.14 with commit e624d4ed4aa8 and fixed in 6.8.10 with commit 6fd81f9d333e
Issue introduced in 5.14 with commit e624d4ed4aa8 and fixed in 6.9 with commit 5bcf0dcbf906
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-36937
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/core/filter.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e
https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc
https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4
https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553
https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c
Powered by blists - more mailing lists