CVE-2024-26596

net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events

After the blamed commit, we started doing this dereference for every
NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.

static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)
{
struct dsa_user_priv *p = netdev_priv(dev);

return p->dp;
}

Which is obviously bogus, because not all net_devices have a netdev_priv()
of type struct dsa_user_priv. But struct dsa_user_priv is fairly small,
and p->dp means dereferencing 8 bytes starting with offset 16. Most
drivers allocate that much private memory anyway, making our access not
fault, and we discard the bogus data quickly afterwards, so this wasn't
caught.

But the dummy interface is somewhat special in that it calls
alloc_netdev() with a priv size of 0. So every netdev_priv() dereference
is invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event
with a VLAN as its new upper:

$ ip link add dummy1 type dummy
$ ip link add link dummy1 name dummy1.100 type vlan id 100
[ 43.309174] ==================================================================
[ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8
[ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374
[ 43.330058]
[ 43.342436] Call trace:
[ 43.366542] dsa_user_prechangeupper+0x30/0xe8
[ 43.371024] dsa_user_netdevice_event+0xb38/0xee8
[ 43.375768] notifier_call_chain+0xa4/0x210
[ 43.379985] raw_notifier_call_chain+0x24/0x38
[ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8
[ 43.389120] netdev_upper_dev_link+0x70/0xa8
[ 43.393424] register_vlan_dev+0x1bc/0x310
[ 43.397554] vlan_newlink+0x210/0x248
[ 43.401247] rtnl_newlink+0x9fc/0xe30
[ 43.404942] rtnetlink_rcv_msg+0x378/0x580

Avoid the kernel oops by dereferencing after the type check, as customary.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: dsa: corrige la desreferencia de netdev_priv() antes de verificar los eventos de dispositivos de red que no son DSA Después del compromiso culpable, comenzamos a hacer esta desreferencia para cada evento NETDEV_CHANGEUPPER y NETDEV_PRECHANGEUPPER en el sistema. estructura estática en línea dsa_port *dsa_user_to_port(const struct net_device *dev) { struct dsa_user_priv *p = netdev_priv(dev); devolver p->dp; } Lo cual es obviamente falso, porque no todos los net_devices tienen un netdev_priv() de tipo struct dsa_user_priv. Pero la estructura dsa_user_priv es bastante pequeña, y p->dp significa desreferenciar 8 bytes comenzando con el desplazamiento 16. La mayoría de los controladores asignan esa cantidad de memoria privada de todos modos, lo que hace que nuestro acceso no sea un error, y descartamos los datos falsos rápidamente después, por lo que esto no fue así. atrapó. Pero la interfaz ficticia es algo especial porque llama a alloc_netdev() con un tamaño privado de 0. Por lo tanto, cada desreferencia de netdev_priv() no es válida, y obtenemos esto cuando emitimos un evento NETDEV_PRECHANGEUPPER con una VLAN como nueva superior: $ ip enlace agregar dummy1 tipo dummy $ ip enlace agregar enlace dummy1 nombre dummy1.100 tipo vlan id 100 [43.309174] ============================= ======================================= [43.316456] ERROR: KASAN: losa fuera de -bounds en dsa_user_prechangeupper+0x30/0xe8 [ 43.323835] Lectura de tamaño 8 en addr ffff3f86481d2990 por tarea ip/374 [ 43.330058] [ 43.342436] Rastreo de llamadas: [ 43.366542] dsa_user_prechangeupper+0x30/0xe8 [ 43.371024] dsa_user_netdevice_event+0xb38/0xee8 [ 43.375768 ] notifier_call_chain+0xa4/0x210 [ 43.379985] raw_notifier_call_chain+0x24/0x38 [ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8 [ 43.389120] netdev_upper_dev_link+0x70/0xa8 [ 43.3 93424] registrar_vlan_dev+0x1bc/0x310 [ 43.397554] vlan_newlink+0x210/0x248 [ 43.401247] rtnl_newlink +0x9fc/0xe30 [ 43.404942] rtnetlink_rcv_msg+0x378/0x580 Evite los errores del kernel desreferenciando después de la verificación de tipo, como es habitual.

*Credits: N/A

CVSS Scores

NISTv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-02-23 CVE Published
2024-02-24 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (3)

URL	Tag	Source
https://git.kernel.org/stable/c/4c3f80d22b2eca911143ce656fa45c4699ff5bf4	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/dbd909c20c11f0d29c0054d41e0d1f668a60e8c8	2024-01-25
https://git.kernel.org/stable/c/844f104790bd69c2e4dbb9ee3eba46fde1fcea7b	2024-01-12

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.7.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.7.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.8"		en		Affected