| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Jun 2024 13:01:17 +0200 From: Michal Hocko <mhocko@...e.com> To: cve@...nel.org, linux-kernel@...r.kernel.org Cc: linux-cve-announce@...r.kernel.org, Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: Re: CVE-2024-35941: net: skbuff: add overflow debug check to pull/push helpers AFAICS this patch is not fixing any security bug. It adds debugging output and triggers a WARN_ON with CONFIG_DEBUG_NET (which could panic the system with panic_on_warn which has been broadly considered a CVE material by the kernel CVE team). Please drop this CVE. On Sun 19-05-24 12:11:35, Greg KH wrote: > Description > =========== > > In the Linux kernel, the following vulnerability has been resolved: > > net: skbuff: add overflow debug check to pull/push helpers > > syzbot managed to trigger following splat: > BUG: KASAN: use-after-free in __skb_flow_dissect+0x4a3b/0x5e50 > Read of size 1 at addr ffff888208a4000e by task a.out/2313 > [..] > __skb_flow_dissect+0x4a3b/0x5e50 > __skb_get_hash+0xb4/0x400 > ip_tunnel_xmit+0x77e/0x26f0 > ipip_tunnel_xmit+0x298/0x410 > .. > > Analysis shows that the skb has a valid ->head, but bogus ->data > pointer. > > skb->data gets its bogus value via the neigh layer, which does: > > 1556 __skb_pull(skb, skb_network_offset(skb)); > > ... and the skb was already dodgy at this point: > > skb_network_offset(skb) returns a negative value due to an > earlier overflow of skb->network_header (u16). __skb_pull thus > "adjusts" skb->data by a huge offset, pointing outside skb->head > area. > > Allow debug builds to splat when we try to pull/push more than > INT_MAX bytes. > > After this, the syzkaller reproducer yields a more precise splat > before the flow dissector attempts to read off skb->data memory: > > WARNING: CPU: 5 PID: 2313 at include/linux/skbuff.h:2653 neigh_connected_output+0x28e/0x400 > ip_finish_output2+0xb25/0xed0 > iptunnel_xmit+0x4ff/0x870 > ipgre_xmit+0x78e/0xbb0 > > The Linux kernel CVE team has assigned CVE-2024-35941 to this issue. > > > Affected and fixed versions > =========================== > > Fixed in 6.1.86 with commit 8af60bb2b215 > Fixed in 6.6.27 with commit 1b2b26595bb0 > Fixed in 6.8.6 with commit fff05b2b004d > Fixed in 6.9 with commit 219eee9c0d16 > > Please see https://www.kernel.org for a full list of currently supported > kernel versions by the kernel community. > > Unaffected versions might change over time as fixes are backported to > older supported kernel versions. The official CVE entry at > https://cve.org/CVERecord/?id=CVE-2024-35941 > will be updated if fixes are backported, please check that for the most > up to date information about this issue. > > > Affected files > ============== > > The file(s) affected by this issue are: > include/linux/skbuff.h > > > Mitigation > ========== > > The Linux kernel CVE team recommends that you update to the latest > stable kernel version for this, and many other bugfixes. Individual > changes are never tested alone, but rather are part of a larger kernel > release. Cherry-picking individual commits is not recommended or > supported by the Linux kernel community at all. If however, updating to > the latest release is impossible, the individual changes to resolve this > issue can be found at these commits: > https://git.kernel.org/stable/c/8af60bb2b215f478b886f1d6d302fefa7f0b917d > https://git.kernel.org/stable/c/1b2b26595bb09febf14c5444c873ac4ec90a5a77 > https://git.kernel.org/stable/c/fff05b2b004d9a8a2416d08647f3dc9068e357c8 > https://git.kernel.org/stable/c/219eee9c0d16f1b754a8b85275854ab17df0850a -- Michal Hocko SUSE Labs
Powered by blists - more mailing lists