CVE-2024-26596
net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events
After the blamed commit, we started doing this dereference for every
NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.
static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)
{
struct dsa_user_priv *p = netdev_priv(dev);
return p->dp;
}
Which is obviously bogus, because not all net_devices have a netdev_priv()
of type struct dsa_user_priv. But struct dsa_user_priv is fairly small,
and p->dp means dereferencing 8 bytes starting with offset 16. Most
drivers allocate that much private memory anyway, making our access not
fault, and we discard the bogus data quickly afterwards, so this wasn't
caught.
But the dummy interface is somewhat special in that it calls
alloc_netdev() with a priv size of 0. So every netdev_priv() dereference
is invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event
with a VLAN as its new upper:
$ ip link add dummy1 type dummy
$ ip link add link dummy1 name dummy1.100 type vlan id 100
[ 43.309174] ==================================================================
[ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8
[ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374
[ 43.330058]
[ 43.342436] Call trace:
[ 43.366542] dsa_user_prechangeupper+0x30/0xe8
[ 43.371024] dsa_user_netdevice_event+0xb38/0xee8
[ 43.375768] notifier_call_chain+0xa4/0x210
[ 43.379985] raw_notifier_call_chain+0x24/0x38
[ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8
[ 43.389120] netdev_upper_dev_link+0x70/0xa8
[ 43.393424] register_vlan_dev+0x1bc/0x310
[ 43.397554] vlan_newlink+0x210/0x248
[ 43.401247] rtnl_newlink+0x9fc/0xe30
[ 43.404942] rtnetlink_rcv_msg+0x378/0x580
Avoid the kernel oops by dereferencing after the type check, as customary.
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: dsa: corrige la desreferencia de netdev_priv() antes de verificar los eventos de dispositivos de red que no son DSA Después del compromiso culpable, comenzamos a hacer esta desreferencia para cada evento NETDEV_CHANGEUPPER y NETDEV_PRECHANGEUPPER en el sistema. estructura estática en línea dsa_port *dsa_user_to_port(const struct net_device *dev) { struct dsa_user_priv *p = netdev_priv(dev); devolver p->dp; } Lo cual es obviamente falso, porque no todos los net_devices tienen un netdev_priv() de tipo struct dsa_user_priv. Pero la estructura dsa_user_priv es bastante pequeña, y p->dp significa desreferenciar 8 bytes comenzando con el desplazamiento 16. La mayoría de los controladores asignan esa cantidad de memoria privada de todos modos, lo que hace que nuestro acceso no sea un error, y descartamos los datos falsos rápidamente después, por lo que esto no fue así. atrapó. Pero la interfaz ficticia es algo especial porque llama a alloc_netdev() con un tamaño privado de 0. Por lo tanto, cada desreferencia de netdev_priv() no es válida, y obtenemos esto cuando emitimos un evento NETDEV_PRECHANGEUPPER con una VLAN como nueva superior: $ ip enlace agregar dummy1 tipo dummy $ ip enlace agregar enlace dummy1 nombre dummy1.100 tipo vlan id 100 [43.309174] ============================= ======================================= [43.316456] ERROR: KASAN: losa fuera de -bounds en dsa_user_prechangeupper+0x30/0xe8 [ 43.323835] Lectura de tamaño 8 en addr ffff3f86481d2990 por tarea ip/374 [ 43.330058] [ 43.342436] Rastreo de llamadas: [ 43.366542] dsa_user_prechangeupper+0x30/0xe8 [ 43.371024] dsa_user_netdevice_event+0xb38/0xee8 [ 43.375768 ] notifier_call_chain+0xa4/0x210 [ 43.379985] raw_notifier_call_chain+0x24/0x38 [ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8 [ 43.389120] netdev_upper_dev_link+0x70/0xa8 [ 43.3 93424] registrar_vlan_dev+0x1bc/0x310 [ 43.397554] vlan_newlink+0x210/0x248 [ 43.401247] rtnl_newlink +0x9fc/0xe30 [ 43.404942] rtnetlink_rcv_msg+0x378/0x580 Evite los errores del kernel desreferenciando después de la verificación de tipo, como es habitual.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-19 CVE Reserved
- 2024-02-23 CVE Published
- 2024-10-11 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/4c3f80d22b2eca911143ce656fa45c4699ff5bf4 | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.1 < 6.6.55 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.6.55" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.1 < 6.7.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.7.2" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.1 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.8" | en |
Affected
|