From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0708A13AD1D
	for <linux-cve-announce@vger.kernel.org>; Wed, 17 Apr 2024 10:17:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1713349069; cv=none; b=iKbFtClir0r26lTju/zFBL5yegss6xxOdUxqs5xP00qu+8mJfdoQA+gNzExLN2fJd13uQoanC1VRDHHztc+ueZg13VQ+fqB9ZmXgC1iPRQyR5ovghQzt8Ez5YGh6AZDd9XbGxHkuH7Fm5t4IqWOVnpUS2dZodCtglPiVr+1Ue/Q=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1713349069; c=relaxed/simple;
	bh=xsrMXv1w24LLEi6MKBH/PYdEOO4UGATjZUhgCPhD7dI=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=mcofhCeRMOEDFVBAtkpHrHuGCDUv0iS0CDlOBDnu2x6d1LSD6H9tbWrHtsAOBPtpbwbTOBcQ4gl+FeKii3z+uy2I5IBabyQ7p1DXoXZzZ4ApaEsFeMLp5tJ0jfbpb1TK3eRmXt9OI8JNStURv6UOofSRlL2RK+BB76GQpPwPaWw=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=pBZg9tis; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="pBZg9tis"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7DF5BC072AA;
	Wed, 17 Apr 2024 10:17:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
	s=korg; t=1713349068;
	bh=xsrMXv1w24LLEi6MKBH/PYdEOO4UGATjZUhgCPhD7dI=;
	h=From:To:Cc:Subject:Date:Reply-to:From;
	b=pBZg9tisfYbLQchMfkSBZAPZ3Werhsze3hoSq40Pc78j13w6/ClcXNPyJssQIaOfU
	 eM8Bzl0NsCzm6SdlAjNyzQQ5XNeg3evm+H82SuKSg3OjdamJR+81z2uqfLvkJ4r+Nd
	 bpdSO7Q1RyzEZPRPkierWmGr12xL+8BRv9F957YU=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cve-announce@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: CVE-2024-26857: geneve: make sure to pull inner header in geneve_rx()
Date: Wed, 17 Apr 2024 12:17:30 +0200
Message-ID: <2024041724-CVE-2024-26857-75ac@gregkh>
X-Mailer: git-send-email 2.44.0
Precedence: bulk
X-Mailing-List: linux-cve-announce@vger.kernel.org
List-Id: <linux-cve-announce.vger.kernel.org>
List-Subscribe: <mailto:linux-cve-announce+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-cve-announce+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
X-Developer-Signature: v=1; a=openpgp-sha256; l=6502; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=xsrMXv1w24LLEi6MKBH/PYdEOO4UGATjZUhgCPhD7dI=; b=owGbwMvMwCRo6H6F97bub03G02pJDGnyC7eE2EtmKxw27imqcXXZfPNey7fje16GCx3bNO39B 8XS89PmdsSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEpixlmJ9t9+xogrQuuxWj /L7HN+vWFibuTGRYcOy8g9gCl11r135vXstTklkldnhxOwA=
X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29
Content-Transfer-Encoding: 8bit

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

geneve: make sure to pull inner header in geneve_rx()

syzbot triggered a bug in geneve_rx() [1]

Issue is similar to the one I fixed in commit 8d975c15c0cd
("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")

We have to save skb->network_header in a temporary variable
in order to be able to recompute the network_header pointer
after a pskb_inet_may_pull() call.

pskb_inet_may_pull() makes sure the needed headers are in skb->head.

[1]
BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
 BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]
 BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
  IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
  geneve_rx drivers/net/geneve.c:279 [inline]
  geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
  udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108
  udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186
  udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346
  __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422
  udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604
  ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
  ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
  dst_input include/net/dst.h:461 [inline]
  ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
  __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
  process_backlog+0x480/0x8b0 net/core/dev.c:5976
  __napi_poll+0xe3/0x980 net/core/dev.c:6576
  napi_poll net/core/dev.c:6645 [inline]
  net_rx_action+0x8b8/0x1870 net/core/dev.c:6778
  __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553
  do_softirq+0x9a/0xf0 kernel/softirq.c:454
  __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381
  local_bh_enable include/linux/bottom_half.h:33 [inline]
  rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]
  __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378
  dev_queue_xmit include/linux/netdevice.h:3171 [inline]
  packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
  packet_snd net/packet/af_packet.c:3081 [inline]
  packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg net/socket.c:745 [inline]
  __sys_sendto+0x735/0xa10 net/socket.c:2191
  __do_sys_sendto net/socket.c:2203 [inline]
  __se_sys_sendto net/socket.c:2199 [inline]
  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:3819 [inline]
  slab_alloc_node mm/slub.c:3860 [inline]
  kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
  __alloc_skb+0x352/0x790 net/core/skbuff.c:651
  alloc_skb include/linux/skbuff.h:1296 [inline]
  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
  packet_alloc_skb net/packet/af_packet.c:2930 [inline]
  packet_snd net/packet/af_packet.c:3024 [inline]
  packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg net/socket.c:745 [inline]
  __sys_sendto+0x735/0xa10 net/socket.c:2191
  __do_sys_sendto net/socket.c:2203 [inline]
  __se_sys_sendto net/socket.c:2199 [inline]
  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

The Linux kernel CVE team has assigned CVE-2024-26857 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.2 with commit 2d07dc79fe04 and fixed in 4.19.310 with commit e431c3227864
	Issue introduced in 4.2 with commit 2d07dc79fe04 and fixed in 5.4.272 with commit 59d2a4076983
	Issue introduced in 4.2 with commit 2d07dc79fe04 and fixed in 5.10.213 with commit c7137900691f
	Issue introduced in 4.2 with commit 2d07dc79fe04 and fixed in 5.15.152 with commit e77e0b0f2a11
	Issue introduced in 4.2 with commit 2d07dc79fe04 and fixed in 6.1.82 with commit c0b22568a9d8
	Issue introduced in 4.2 with commit 2d07dc79fe04 and fixed in 6.6.22 with commit 0ece581d2a66
	Issue introduced in 4.2 with commit 2d07dc79fe04 and fixed in 6.7.10 with commit 048e16dee1fc
	Issue introduced in 4.2 with commit 2d07dc79fe04 and fixed in 6.8 with commit 1ca1ba465e55

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26857
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/net/geneve.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/e431c3227864b5646601c97f5f898d99472f2914
	https://git.kernel.org/stable/c/59d2a4076983303f324557a114cfd5c32e1f6b29
	https://git.kernel.org/stable/c/c7137900691f5692fe3de54566ea7b30bb35d66c
	https://git.kernel.org/stable/c/e77e0b0f2a11735c64b105edaee54d6344faca8a
	https://git.kernel.org/stable/c/c0b22568a9d8384fd000cc49acb8f74bde40d1b5
	https://git.kernel.org/stable/c/0ece581d2a66e8e488c0d3b3e7b5760dbbfdbdd5
	https://git.kernel.org/stable/c/048e16dee1fc609c1c85072ccd70bfd4b5fef6ca
	https://git.kernel.org/stable/c/1ca1ba465e55b9460e4e75dec9fff31e708fec74