| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024053042-CVE-2024-36937-be12@gregkh> Date: Thu, 30 May 2024 17:29:29 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-36937: xdp: use flags field to disambiguate broadcast redirect Description =========== In the Linux kernel, the following vulnerability has been resolved: xdp: use flags field to disambiguate broadcast redirect When redirecting a packet using XDP, the bpf_redirect_map() helper will set up the redirect destination information in struct bpf_redirect_info (using the __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect() function will read this information after the XDP program returns and pass the frame on to the right redirect destination. When using the BPF_F_BROADCAST flag to do multicast redirect to a whole map, __bpf_xdp_redirect_map() sets the 'map' pointer in struct bpf_redirect_info to point to the destination map to be broadcast. And xdp_do_redirect() reacts to the value of this map pointer to decide whether it's dealing with a broadcast or a single-value redirect. However, if the destination map is being destroyed before xdp_do_redirect() is called, the map pointer will be cleared out (by bpf_clear_redirect_map()) without waiting for any XDP programs to stop running. This causes xdp_do_redirect() to think that the redirect was to a single target, but the target pointer is also NULL (since broadcast redirects don't have a single target), so this causes a crash when a NULL pointer is passed to dev_map_enqueue(). To fix this, change xdp_do_redirect() to react directly to the presence of the BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info to disambiguate between a single-target and a broadcast redirect. And only read the 'map' pointer if the broadcast flag is set, aborting if that has been cleared out in the meantime. This prevents the crash, while keeping the atomic (cmpxchg-based) clearing of the map pointer itself, and without adding any more checks in the non-broadcast fast path. The Linux kernel CVE team has assigned CVE-2024-36937 to this issue. Affected and fixed versions =========================== Issue introduced in 5.14 with commit e624d4ed4aa8 and fixed in 5.15.159 with commit 12481f30128f Issue introduced in 5.14 with commit e624d4ed4aa8 and fixed in 6.1.91 with commit 272bfb019f3c Issue introduced in 5.14 with commit e624d4ed4aa8 and fixed in 6.6.31 with commit e22e25820fa0 Issue introduced in 5.14 with commit e624d4ed4aa8 and fixed in 6.8.10 with commit 6fd81f9d333e Issue introduced in 5.14 with commit e624d4ed4aa8 and fixed in 6.9 with commit 5bcf0dcbf906 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-36937 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/core/filter.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4 https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553 https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c
Powered by blists - more mailing lists