CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-36938 – bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue
https://notcve.org/view.php?id=CVE-2024-36938
In the Linux kernel, the following vulnerability has been resolved: bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which syzbot reported [1]. [1] BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1: sk_psock_stop_verdict net/core/skmsg.c:1257 [inline] sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843 sk_psock_put include/linux/skmsg.h:459 [inline] sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648 unix_release+0x4b/0x80 net/unix/af_unix.c:1048 __sock_release net/socket.c:659 [inline] sock_close+0x68/0x150 net/socket.c:1421 __fput+0x2c1/0x660 fs/file_table.c:422 __fput_sync+0x44/0x60 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [inline] __se_sys_close+0x101/0x1b0 fs/open.c:1541 __x64_sys_close+0x1f/0x30 fs/open.c:1541 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0: sk_psock_data_ready include/linux/skmsg.h:464 [inline] sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555 sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606 sk_psock_verdict_apply net/core/skmsg.c:1008 [inline] sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202 unix_read_skb net/unix/af_unix.c:2546 [inline] unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682 sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223 unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x140/0x180 net/socket.c:745 ____sys_sendmsg+0x312/0x410 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x1e9/0x280 net/socket.c:2667 __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 value changed: 0xffffffff83d7feb0 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()") fixed one NULL pointer similarly due to no protection of saved_data_ready. Here is another different caller causing the same issue because of the same reason. So we should protect it with sk_callback_lock read lock because the writer side in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);". To avoid errors that could happen in future, I move those two pairs of lock into the sk_psock_data_ready(), which is suggested by John Fastabend. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: bpf, skmsg: Se corrigió la desreferencia del puntero NULL en sk_psock_skb_ingress_enqueue Se corrigieron las ejecucións de datos del puntero NULL en sk_psock_skb_ingress_enqueue() que syzbot informó [1]. [1] ERROR: KCSAN: ejecución de datos en sk_psock_drop / sk_psock_skb_ingress_enqueue escribe en 0xffff88814b3278b8 de 8 bytes por tarea 10724 en la CPU 1: sk_psock_stop_verdict net/core/skmsg.c:1257 [en línea] 0 neto/núcleo/skmsg .c:843 sk_psock_put include/linux/skmsg.h:459 [en línea] sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648 unix_release+0x4b/0x80 net/unix/af_unix.c:1048 __sock_release net/socket. c:659 [en línea] sock_close+0x68/0x150 net/socket.c:1421 __fput+0x2c1/0x660 fs/file_table.c:422 __fput_sync+0x44/0x60 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [en línea] __se_sys_close+0x101/0x1b0 fs/open.c:1541 __x64_sys_close+0x1f/0x30 fs/open.c:1541 do_syscall_64+0xd3/0x1d0 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 leer en 0xffff8881 4b3278b8 de 8 bytes por tarea 10713 en la CPU 0: sk_psock_data_ready include/linux/skmsg.h:464 [en línea] sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555 sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606 sk_psock_verdict_apply net /core/skmsg.c: 1008 [en línea] sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202 unix_read_skb net/unix/af_unix.c:2546 [en línea] unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682 +0x77/0x220 net/core/skmsg.c:1223 unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339 sock_sendmsg_nosec net/socket.c:730 [en línea] __sock_sendmsg+0x140/0x180 net/socket.c:745 ____sys_sendmsg+0x 312/ 0x410 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [en línea] __sys_sendmsg+0x1e9/0x280 net/socket.c:2667 __do_sys_sendmsg net/socket.c:2676 [en línea] __se_sys_sendmsg net/socket. c:2674 [en línea] __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674 do_syscall_64+0xd3/0x1d0 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 valor cambiado: 0xffffffff83d7feb0 -> 0x0000000000000000 editado por Kernel Concurrency Sanitizer en: CPU: 0 PID: 10713 Comm: syz-executor .4 Contaminado: GW 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 29/02/2024 Antes de esto, confirme 4cd12c6065df ("bpf, sockmap: corrija el puntero NULL dereference in sk_psock_verdict_data_ready()") arregló un puntero NULL de manera similar debido a que no hay protección de save_data_ready. Aquí hay otra persona que llama y causa el mismo problema por el mismo motivo. • https://git.kernel.org/stable/c/604326b41a6fb9b4a78b6179335decee0365cd8c https://git.kernel.org/stable/c/c0809c128dad4c3413818384eb06a341633db973 https://git.kernel.org/stable/c/5965bc7535fb87510b724e5465ccc1a1cf00916d https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27 https://git.kernel.org/stable/c/b397a0ab8582c533ec0c6b732392f141fc364f87 https://git.kernel.org/stable/c/772d5729b5ff0df0d37b32db600ce635b2172f80 https://git.kernel.org/stable/c/6648e613226e18897231ab5e42ffc29e63fa3365 • CWE-476: NULL Pointer Dereference •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-36934 – bna: ensure the copied buf is NUL terminated
https://notcve.org/view.php?id=CVE-2024-36934
In the Linux kernel, the following vulnerability has been resolved: bna: ensure the copied buf is NUL terminated Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bna: asegúrese de que el buf copiado tenga terminación NUL. Actualmente, asignamos un búfer del kernel de tamaño nbytes y copiamos nbytes del espacio de usuario a ese búfer. • https://git.kernel.org/stable/c/7afc5dbde09104b023ce04465ba71aaba0fc4346 https://git.kernel.org/stable/c/bd502ba81cd1d515deddad7dbc6b812b14b97147 https://git.kernel.org/stable/c/80578ec10335bc15ac35fd1703c22aab34e39fdd https://git.kernel.org/stable/c/6f0f19b79c085cc891c418b768f26f7004bd51a4 https://git.kernel.org/stable/c/0f560240b4cc25d3de527deb257cdf072c0102a9 https://git.kernel.org/stable/c/06cb37e2ba6441888f24566a997481d4197b4e32 https://git.kernel.org/stable/c/e19478763154674c084defc62ae0d64d79657f91 https://git.kernel.org/stable/c/1518b2b498a0109eb6b15755169d3b660 •
CVSS: 5.9EPSS: 0%CPEs: 8EXPL: 0CVE-2024-36933 – nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().
https://notcve.org/view.php?id=CVE-2024-36933
In the Linux kernel, the following vulnerability has been resolved: nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). syzbot triggered various splats (see [0] and links) by a crafted GSO packet of VIRTIO_NET_HDR_GSO_UDP layering the following protocols: ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP NSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner protocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls skb_mac_gso_segment() to invoke inner protocol GSO handlers. nsh_gso_segment() does the following for the original skb before calling skb_mac_gso_segment() 1. reset skb->network_header 2. save the original skb->{mac_heaeder,mac_len} in a local variable 3. pull the NSH header 4. resets skb->mac_header 5. set up skb->mac_len and skb->protocol for the inner protocol. and does the following for the segmented skb 6. set ntohs(ETH_P_NSH) to skb->protocol 7. push the NSH header 8. restore skb->mac_header 9. set skb->mac_header + mac_len to skb->network_header 10. restore skb->mac_len There are two problems in 6-7 and 8-9. (a) After 6 & 7, skb->data points to the NSH header, so the outer header (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev. Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH), skb_pull() in the first nsh_gso_segment() will make skb->data point to the middle of the outer NSH or Ethernet header because the Ethernet header is not pulled by the second nsh_gso_segment(). (b) While restoring skb->{mac_header,network_header} in 8 & 9, nsh_gso_segment() does not assume that the data in the linear buffer is shifted. However, udp6_ufo_fragment() could shift the data and change skb->mac_header accordingly as demonstrated by syzbot. If this happens, even the restored skb->mac_header points to the middle of the outer header. It seems nsh_gso_segment() has never worked with outer headers so far. At the end of nsh_gso_segment(), the outer header must be restored for the segmented skb, instead of the NSH header. To do that, let's calculate the outer header position relatively from the inner header and set skb->{data,mac_header,protocol} properly. [0]: BUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline] BUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] BUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668 ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668 ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222 __netdev_start_xmit include/linux/netdevice.h:4989 [inline] netdev_start_xmit include/linux/netdevice.h:5003 [inline] xmit_one net/core/dev.c:3547 [inline] dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563 __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351 dev_queue_xmit include/linux/netdevice.h:3171 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook mm/slub.c:3819 [inline] slab_alloc_node mm/slub.c:3860 [inline] __do_kmalloc_node mm/slub.c:3980 [inline] __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 __ ---truncated--- En el kernel de Linux, se resolvió la siguiente vulnerabilidad: nsh: restaurar skb->{protocol,data,mac_header} para el encabezado externo en nsh_gso_segment(). syzbot activó varios símbolos (ver [0] y enlaces) mediante un paquete GSO manipulado de VIRTIO_NET_HDR_GSO_UDP que superpone los siguientes protocolos: ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP NSH puede encapsular IPv4, IPv6, Ethernet, NSH y MPLS. Como el protocolo interno puede ser Ethernet, el controlador NSH GSO, nsh_gso_segment(), llama a skb_mac_gso_segment() para invocar los controladores GSO del protocolo interno. nsh_gso_segment() hace lo siguiente para el skb original antes de llamar a skb_mac_gso_segment() 1. restablecer skb->network_header 2. guardar el skb->{mac_heaeder,mac_len} original en una variable local 3. extraer el encabezado NSH 4. restablece skb- >mac_header 5. Configure skb->mac_len y skb->protocol para el protocolo interno. y hace lo siguiente para el skb segmentado 6. configurar ntohs(ETH_P_NSH) en skb->protocol 7. empujar el encabezado NSH 8. restaurar skb->mac_header 9. configurar skb->mac_header + mac_len en skb->network_header 10. restaurar skb->mac_len Hay dos problemas en 6-7 y 8-9. (a) Después de 6 y 7, skb->data apunta al encabezado NSH, por lo que el encabezado externo (ETH_P_8021AD en este caso) se elimina cuando skb se envía fuera de netdev. • https://git.kernel.org/stable/c/c411ed854584a71b0e86ac3019b60e4789d88086 https://git.kernel.org/stable/c/a7c2c3c1caabcb4a3d6c47284c397507aaf54fe9 https://git.kernel.org/stable/c/46134031c20fd313d03b90169d64b2e05ca6b65c https://git.kernel.org/stable/c/bbccf0caef2fa917d6d0692385a06ce3c262a216 https://git.kernel.org/stable/c/5a4603fbc285752d19e4b415466db18ef3617e4a https://git.kernel.org/stable/c/37ed6f244ec5bda2e90b085084e322ea55d0aaa2 https://git.kernel.org/stable/c/696d18bb59727a2e0526c0802a812620be1c9340 https://git.kernel.org/stable/c/29a07f2ee4d273760c2acbfc756e29ecc • CWE-457: Use of Uninitialized Variable •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2024-36927 – ipv4: Fix uninit-value access in __ip_make_skb()
https://notcve.org/view.php?id=CVE-2024-36927
In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix uninit-value access in __ip_make_skb() KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb() tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL while __ip_make_skb() is running, the function will access icmphdr in the skb even if it is not included. This causes the issue reported by KMSAN. Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL on the socket. Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. • https://git.kernel.org/stable/c/99e5acae193e369b71217efe6f1dad42f3f18815 https://git.kernel.org/stable/c/dc4e3bb0710178c8d03fc43064e0a71fe7440cdd https://git.kernel.org/stable/c/022ea4374c319690c804706bda9dc42946d1556d https://git.kernel.org/stable/c/27c468ec1af113f6ae94fb5378f65e6038bd16e7 https://git.kernel.org/stable/c/566785731c6dd41ef815196ddc36d1ae30a63763 https://git.kernel.org/stable/c/a54ec573d9b81b05d368f8e6edc1b3e49f688658 https://git.kernel.org/stable/c/fc60067260c20da8cddcf968bec47416f3e2cde2 https://git.kernel.org/stable/c/32a5a13d556e4f804e5a447a08c70b172 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-36924 – scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()
https://notcve.org/view.php?id=CVE-2024-36924
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() lpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the hbalock. Thus, lpfc_worker_wake_up() should not be called while holding the hbalock to avoid potential deadlock. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: lpfc: Libere hbalock antes de llamar a lpfc_worker_wake_up() lpfc_worker_wake_up() llama a la rutina lpfc_work_done(), que toma el hbalock. Por lo tanto, no se debe llamar a lpfc_worker_wake_up() mientras se mantiene presionado el hbalock para evitar un posible punto muerto. • https://git.kernel.org/stable/c/6503c39398506cadda9f4c81695a9655ca5fb4fd https://git.kernel.org/stable/c/e8bf2c05e8ad68e90f9d5889a9e4ef3f6fe00683 https://git.kernel.org/stable/c/ee833d7e62de2b84ed1332d501b67f12e7e5678f https://git.kernel.org/stable/c/ded20192dff31c91cef2a04f7e20e60e9bb887d3 https://access.redhat.com/security/cve/CVE-2024-36924 https://bugzilla.redhat.com/show_bug.cgi?id=2284506 • CWE-833: Deadlock •