Re: CVE-2024-35941: net: skbuff: add overflow debug check to pull/push helpers
From: Michal Hocko
Date: Tue Jun 04 2024 - 07:01:34 EST
AFAICS this patch is not fixing any security bug. It adds debugging
output and triggers a WARN_ON with CONFIG_DEBUG_NET (which could panic
the system with panic_on_warn which has been broadly considered a CVE
material by the kernel CVE team).
Please drop this CVE.
On Sun 19-05-24 12:11:35, Greg KH wrote:
> Description
> ===========
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> net: skbuff: add overflow debug check to pull/push helpers
>
> syzbot managed to trigger following splat:
> BUG: KASAN: use-after-free in __skb_flow_dissect+0x4a3b/0x5e50
> Read of size 1 at addr ffff888208a4000e by task a.out/2313
> [..]
> __skb_flow_dissect+0x4a3b/0x5e50
> __skb_get_hash+0xb4/0x400
> ip_tunnel_xmit+0x77e/0x26f0
> ipip_tunnel_xmit+0x298/0x410
> ..
>
> Analysis shows that the skb has a valid ->head, but bogus ->data
> pointer.
>
> skb->data gets its bogus value via the neigh layer, which does:
>
> 1556 __skb_pull(skb, skb_network_offset(skb));
>
> ... and the skb was already dodgy at this point:
>
> skb_network_offset(skb) returns a negative value due to an
> earlier overflow of skb->network_header (u16). __skb_pull thus
> "adjusts" skb->data by a huge offset, pointing outside skb->head
> area.
>
> Allow debug builds to splat when we try to pull/push more than
> INT_MAX bytes.
>
> After this, the syzkaller reproducer yields a more precise splat
> before the flow dissector attempts to read off skb->data memory:
>
> WARNING: CPU: 5 PID: 2313 at include/linux/skbuff.h:2653 neigh_connected_output+0x28e/0x400
> ip_finish_output2+0xb25/0xed0
> iptunnel_xmit+0x4ff/0x870
> ipgre_xmit+0x78e/0xbb0
>
> The Linux kernel CVE team has assigned CVE-2024-35941 to this issue.
>
>
> Affected and fixed versions
> ===========================
>
> Fixed in 6.1.86 with commit 8af60bb2b215
> Fixed in 6.6.27 with commit 1b2b26595bb0
> Fixed in 6.8.6 with commit fff05b2b004d
> Fixed in 6.9 with commit 219eee9c0d16
>
> Please see https://www.kernel.org for a full list of currently supported
> kernel versions by the kernel community.
>
> Unaffected versions might change over time as fixes are backported to
> older supported kernel versions. The official CVE entry at
> https://cve.org/CVERecord/?id=CVE-2024-35941
> will be updated if fixes are backported, please check that for the most
> up to date information about this issue.
>
>
> Affected files
> ==============
>
> The file(s) affected by this issue are:
> include/linux/skbuff.h
>
>
> Mitigation
> ==========
>
> The Linux kernel CVE team recommends that you update to the latest
> stable kernel version for this, and many other bugfixes. Individual
> changes are never tested alone, but rather are part of a larger kernel
> release. Cherry-picking individual commits is not recommended or
> supported by the Linux kernel community at all. If however, updating to
> the latest release is impossible, the individual changes to resolve this
> issue can be found at these commits:
> https://git.kernel.org/stable/c/8af60bb2b215f478b886f1d6d302fefa7f0b917d
> https://git.kernel.org/stable/c/1b2b26595bb09febf14c5444c873ac4ec90a5a77
> https://git.kernel.org/stable/c/fff05b2b004d9a8a2416d08647f3dc9068e357c8
> https://git.kernel.org/stable/c/219eee9c0d16f1b754a8b85275854ab17df0850a
--
Michal Hocko
SUSE Labs