Re: CVE-2024-35941: net: skbuff: add overflow debug check to pull/push helpers

[Michal Hocko]

AFAICS this patch is not fixing any security bug. It adds debugging
output and triggers a WARN_ON with CONFIG_DEBUG_NET (which could panic
the system with panic_on_warn which has been broadly considered a CVE
material by the kernel CVE team).

Please drop this CVE.

On Sun 19-05-24 12:11:35, Greg KH wrote:
> Description
> ===========
> 
> In the Linux kernel, the following vulnerability has been resolved:
> 
> net: skbuff: add overflow debug check to pull/push helpers
> 
> syzbot managed to trigger following splat:
> BUG: KASAN: use-after-free in __skb_flow_dissect+0x4a3b/0x5e50
> Read of size 1 at addr ffff888208a4000e by task a.out/2313
> [..]
>   __skb_flow_dissect+0x4a3b/0x5e50
>   __skb_get_hash+0xb4/0x400
>   ip_tunnel_xmit+0x77e/0x26f0
>   ipip_tunnel_xmit+0x298/0x410
>   ..
> 
> Analysis shows that the skb has a valid ->head, but bogus ->data
> pointer.
> 
> skb->data gets its bogus value via the neigh layer, which does:
> 
> 1556    __skb_pull(skb, skb_network_offset(skb));
> 
> ... and the skb was already dodgy at this point:
> 
> skb_network_offset(skb) returns a negative value due to an
> earlier overflow of skb->network_header (u16).  __skb_pull thus
> "adjusts" skb->data by a huge offset, pointing outside skb->head
> area.
> 
> Allow debug builds to splat when we try to pull/push more than
> INT_MAX bytes.
> 
> After this, the syzkaller reproducer yields a more precise splat
> before the flow dissector attempts to read off skb->data memory:
> 
> WARNING: CPU: 5 PID: 2313 at include/linux/skbuff.h:2653 neigh_connected_output+0x28e/0x400
>   ip_finish_output2+0xb25/0xed0
>   iptunnel_xmit+0x4ff/0x870
>   ipgre_xmit+0x78e/0xbb0
> 
> The Linux kernel CVE team has assigned CVE-2024-35941 to this issue.
> 
> 
> Affected and fixed versions
> ===========================
> 
> 	Fixed in 6.1.86 with commit 8af60bb2b215
> 	Fixed in 6.6.27 with commit 1b2b26595bb0
> 	Fixed in 6.8.6 with commit fff05b2b004d
> 	Fixed in 6.9 with commit 219eee9c0d16
> 
> Please see https://www.kernel.org for a full list of currently supported
> kernel versions by the kernel community.
> 
> Unaffected versions might change over time as fixes are backported to
> older supported kernel versions.  The official CVE entry at
> 	https://cve.org/CVERecord/?id=CVE-2024-35941
> will be updated if fixes are backported, please check that for the most
> up to date information about this issue.
> 
> 
> Affected files
> ==============
> 
> The file(s) affected by this issue are:
> 	include/linux/skbuff.h
> 
> 
> Mitigation
> ==========
> 
> The Linux kernel CVE team recommends that you update to the latest
> stable kernel version for this, and many other bugfixes.  Individual
> changes are never tested alone, but rather are part of a larger kernel
> release.  Cherry-picking individual commits is not recommended or
> supported by the Linux kernel community at all.  If however, updating to
> the latest release is impossible, the individual changes to resolve this
> issue can be found at these commits:
> 	https://git.kernel.org/stable/c/8af60bb2b215f478b886f1d6d302fefa7f0b917d
> 	https://git.kernel.org/stable/c/1b2b26595bb09febf14c5444c873ac4ec90a5a77
> 	https://git.kernel.org/stable/c/fff05b2b004d9a8a2416d08647f3dc9068e357c8
> 	https://git.kernel.org/stable/c/219eee9c0d16f1b754a8b85275854ab17df0850a

-- 
Michal Hocko
SUSE Labs