// For flags

CVE-2024-36933

nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().

Severity Score

5.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().

syzbot triggered various splats (see [0] and links) by a crafted GSO
packet of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:

ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP

NSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner
protocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls
skb_mac_gso_segment() to invoke inner protocol GSO handlers.

nsh_gso_segment() does the following for the original skb before
calling skb_mac_gso_segment()

1. reset skb->network_header
2. save the original skb->{mac_heaeder,mac_len} in a local variable
3. pull the NSH header
4. resets skb->mac_header
5. set up skb->mac_len and skb->protocol for the inner protocol.

and does the following for the segmented skb

6. set ntohs(ETH_P_NSH) to skb->protocol
7. push the NSH header
8. restore skb->mac_header
9. set skb->mac_header + mac_len to skb->network_header
10. restore skb->mac_len

There are two problems in 6-7 and 8-9.

(a)
After 6 & 7, skb->data points to the NSH header, so the outer header
(ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.

Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),
skb_pull() in the first nsh_gso_segment() will make skb->data point
to the middle of the outer NSH or Ethernet header because the Ethernet
header is not pulled by the second nsh_gso_segment().

(b)
While restoring skb->{mac_header,network_header} in 8 & 9,
nsh_gso_segment() does not assume that the data in the linear
buffer is shifted.

However, udp6_ufo_fragment() could shift the data and change
skb->mac_header accordingly as demonstrated by syzbot.

If this happens, even the restored skb->mac_header points to
the middle of the outer header.

It seems nsh_gso_segment() has never worked with outer headers so far.

At the end of nsh_gso_segment(), the outer header must be restored for
the segmented skb, instead of the NSH header.

To do that, let's calculate the outer header position relatively from
the inner header and set skb->{data,mac_header,protocol} properly.

[0]:
BUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
BUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
BUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222
__netdev_start_xmit include/linux/netdevice.h:4989 [inline]
netdev_start_xmit include/linux/netdevice.h:5003 [inline]
xmit_one net/core/dev.c:3547 [inline]
dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563
__dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351
dev_queue_xmit include/linux/netdevice.h:3171 [inline]
packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x735/0xa10 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
slab_post_alloc_hook mm/slub.c:3819 [inline]
slab_alloc_node mm/slub.c:3860 [inline]
__do_kmalloc_node mm/slub.c:3980 [inline]
__kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001
kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582
__
---truncated---

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: nsh: restaurar skb->{protocol,data,mac_header} para el encabezado externo en nsh_gso_segment(). syzbot activó varios símbolos (ver [0] y enlaces) mediante un paquete GSO manipulado de VIRTIO_NET_HDR_GSO_UDP que superpone los siguientes protocolos: ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP NSH puede encapsular IPv4, IPv6, Ethernet, NSH y MPLS. Como el protocolo interno puede ser Ethernet, el controlador NSH GSO, nsh_gso_segment(), llama a skb_mac_gso_segment() para invocar los controladores GSO del protocolo interno. nsh_gso_segment() hace lo siguiente para el skb original antes de llamar a skb_mac_gso_segment() 1. restablecer skb->network_header 2. guardar el skb->{mac_heaeder,mac_len} original en una variable local 3. extraer el encabezado NSH 4. restablece skb- >mac_header 5. Configure skb->mac_len y skb->protocol para el protocolo interno. y hace lo siguiente para el skb segmentado 6. configurar ntohs(ETH_P_NSH) en skb->protocol 7. empujar el encabezado NSH 8. restaurar skb->mac_header 9. configurar skb->mac_header + mac_len en skb->network_header 10. restaurar skb->mac_len Hay dos problemas en 6-7 y 8-9. (a) Después de 6 y 7, skb->data apunta al encabezado NSH, por lo que el encabezado externo (ETH_P_8021AD en este caso) se elimina cuando skb se envía fuera de netdev. Además, si NSH está encapsulado por NSH + Ethernet (es decir, NSH-Ethernet-NSH), skb_pull() en el primer nsh_gso_segment() hará que skb->data apunte al medio del encabezado NSH o Ethernet externo porque el encabezado Ethernet es no arrastrado por el segundo nsh_gso_segment(). (b) Al restaurar skb->{mac_header,network_header} en 8 y 9, nsh_gso_segment() no supone que los datos en el búfer lineal se hayan desplazado. Sin embargo, udp6_ufo_fragment() podría cambiar los datos y cambiar skb->mac_header en consecuencia, como lo demuestra syzbot. Si esto sucede, incluso el skb->mac_header restaurado apunta al centro del encabezado externo. Parece que nsh_gso_segment() nunca ha funcionado con encabezados externos hasta ahora. Al final de nsh_gso_segment(), se debe restaurar el encabezado externo para el skb segmentado, en lugar del encabezado NSH. Para hacer eso, calculemos la posición del encabezado externo relativamente desde el encabezado interno y configuremos skb->{data,mac_header,protocol} correctamente. [0]: ERROR: KMSAN: valor uninit en ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [en línea] ERROR: KMSAN: valor uninit en ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [en línea] ERROR: KMSAN: valor uninit en ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668 ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [en línea] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c: 602 [en línea] ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668 ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222 __netdev_start_xmit include/linux/netdevice.h:4989 [en línea] _xmitir include/linux/netdevice.h:5003 [en línea] xmit_one net/core/dev.c:3547 [en línea] dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563 __dev_queue_xmit+0x33ed/0x51c0 net/core/dev. c:4351 dev_queue_xmit include/linux/netdevice.h:3171 [en línea] paquete_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 paquete_snd net/packet/af_packet.c:3081 [en línea] paquete_sendmsg+0x8aef/0x9f10 net/ paquete/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [en línea] __sock_sendmsg net/socket.c:745 [en línea] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [ en línea] __se_sys_sendto net/socket.c:2199 [en línea] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [en línea] do_syscall_64+0xcf/0x1e0 arch/x86/entry /common.c:83 Entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit se creó en: slab_post_alloc_hook mm/slub.c:3819 [en línea] slab_alloc_node mm/slub.c:3860 [en línea] __do_kmalloc_node mm/slub.c:3980---truncado---

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-05-30 CVE Reserved
  • 2024-05-30 CVE Published
  • 2024-05-31 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-457: Use of Uninitialized Variable
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.14 < 4.19.314
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 4.19.314"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.14 < 5.4.276
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.4.276"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.14 < 5.10.217
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.10.217"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.14 < 5.15.159
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.15.159"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.14 < 6.1.91
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 6.1.91"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.14 < 6.6.31
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 6.6.31"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.14 < 6.8.10
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 6.8.10"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.14 < 6.9
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 6.9"
en
Affected