CVE-2024-35973

Summary

In the Linux kernel, the following vulnerability has been resolved:

geneve: fix header validation in geneve[6]_xmit_skb

syzbot is able to trigger an uninit-value in geneve_xmit() [1]

Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield()) uses skb_protocol(skb, true), pskb_inet_may_pull() is only using skb->protocol.

If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol, pskb_inet_may_pull() does nothing at all.

If a vlan tag was provided by the caller (af_packet in the syzbot case), the network header might not point to the correct location, and skb linear part could be smaller than expected.

Add skb_vlan_inet_prepare() to perform a complete mac validation.

Use this in geneve for the moment, I suspect we need to adopt this more broadly.

v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest

  • Only call __vlan_get_protocol() for vlan types.

v2,v3 - Addressed Sabrina comments on v1 and v2

[1]

BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline] BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 geneve_xmit_skb drivers/net/geneve.c:910 [inline] geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 packet_alloc_skb net/packet/af_packet.c:2930 [inline] packet_snd net/packet/af_packet.c:3024 [inline] packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75

CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024

Affected Software

VendorProductVersion RangeStatus
LinuxLinux35385daa8db320d2d9664930c28e732578b0d7de < 43be590456e1f3566054ce78ae2dbb68cbe1a536affected
LinuxLinux6f92124d74419797fadfbcd5b7a72c384a6413ad < d3adf11d7993518a39bd02b383cfe657ccc0023caffected
LinuxLinux71ad9260c001b217d704cda88ecea251b2d367da < 10204df9beda4978bd1d0c2db0d8375bfb03b915affected
LinuxLinuxd13f048dd40e8577260cd43faea8ec9b77520197 < 3c1ae6de74e3d2d6333d29a2d3e13e6094596c79affected
LinuxLinuxd13f048dd40e8577260cd43faea8ec9b77520197 < 4a1b65d1e55d53b397cb27014208be1e04172670affected
LinuxLinuxd13f048dd40e8577260cd43faea8ec9b77520197 < 190d9efa5773f26d6f334b1b8be282c4fa13fd5eaffected
LinuxLinuxd13f048dd40e8577260cd43faea8ec9b77520197 < 357163fff3a6e48fe74745425a32071ec9caf852affected
LinuxLinuxd13f048dd40e8577260cd43faea8ec9b77520197 < d8a6213d70accb403b82924a1c229e733433a5efaffected
LinuxLinux9a51e36ebf433adf59c051bec33f5aa54640bb4daffected
LinuxLinux21815f28af8081b258552c111774ff320cf38d38affected
LinuxLinux4.19.191 < 4.19.313affected
LinuxLinux5.4.119 < 5.4.275affected
LinuxLinux5.10.37 < 5.10.216affected
LinuxLinux5.11.21 < 5.12affected
LinuxLinux5.12.4 < 5.13affected
LinuxLinux5.13affected
LinuxLinux0 < 5.13unaffected
LinuxLinux4.19.313 <= 4.19.*unaffected
LinuxLinux5.4.275 <= 5.4.*unaffected
LinuxLinux5.10.216 <= 5.10.*unaffected
LinuxLinux5.15.156 <= 5.15.*unaffected
LinuxLinux6.1.87 <= 6.1.*unaffected
LinuxLinux6.6.28 <= 6.6.*unaffected
LinuxLinux6.8.7 <= 6.8.*unaffected
LinuxLinux6.9 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

Additional References

References