In the Linux kernel, the following vulnerability has been resolved:
geneve: fix header validation in geneve[6]xmitskb
syzbot is able to trigger an uninit-value in geneve_xmit() [1]
Problem : While most ip tunnel helpers (like iptunnelgetdsfield()) uses skbprotocol(skb, true), pskbinetmay_pull() is only using skb->protocol.
If anything else than ETHPIPV6 or ETHPIP is found in skb->protocol, pskbinetmay_pull() does nothing at all.
If a vlan tag was provided by the caller (af_packet in the syzbot case), the network header might not point to the correct location, and skb linear part could be smaller than expected.
Add skbvlaninet_prepare() to perform a complete mac validation.
Use this in geneve for the moment, I suspect we need to adopt this more broadly.
v4 - Jakub reported v3 broke l2tosttlinherit.sh selftest - Only call _vlangetprotocol() for vlan types.
v2,v3 - Addressed Sabrina comments on v1 and v2
[1]
BUG: KMSAN: uninit-value in genevexmitskb drivers/net/geneve.c:910 [inline] BUG: KMSAN: uninit-value in genevexmit+0x302d/0x5420 drivers/net/geneve.c:1030 genevexmitskb drivers/net/geneve.c:910 [inline] genevexmit+0x302d/0x5420 drivers/net/geneve.c:1030 _netdevstartxmit include/linux/netdevice.h:4903 [inline] netdevstartxmit include/linux/netdevice.h:4917 [inline] xmitone net/core/dev.c:3531 [inline] devhardstartxmit+0x247/0xa20 net/core/dev.c:3547 _devqueuexmit+0x348d/0x52c0 net/core/dev.c:4335 devqueuexmit include/linux/netdevice.h:3091 [inline] packetxmit+0x9c/0x6c0 net/packet/afpacket.c:276 packetsnd net/packet/afpacket.c:3081 [inline] packetsendmsg+0x8bb0/0x9ef0 net/packet/afpacket.c:3113 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0x30f/0x380 net/socket.c:745 _syssendto+0x685/0x830 net/socket.c:2191 _dosyssendto net/socket.c:2203 [inline] _sesyssendto net/socket.c:2199 [inline] _x64syssendto+0x125/0x1d0 net/socket.c:2199 dosyscall64+0xd5/0x1f0 entrySYSCALL64after_hwframe+0x6d/0x75
Uninit was created at: slabpostallochook mm/slub.c:3804 [inline] slaballocnode mm/slub.c:3845 [inline] kmemcacheallocnode+0x613/0xc50 mm/slub.c:3888 kmallocreserve+0x13d/0x4a0 net/core/skbuff.c:577 _allocskb+0x35b/0x7a0 net/core/skbuff.c:668 allocskb include/linux/skbuff.h:1318 [inline] allocskbwithfrags+0xc8/0xbf0 net/core/skbuff.c:6504 sockallocsendpskb+0xa81/0xbf0 net/core/sock.c:2795 packetallocskb net/packet/afpacket.c:2930 [inline] packetsnd net/packet/afpacket.c:3024 [inline] packetsendmsg+0x722d/0x9ef0 net/packet/afpacket.c:3113 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0x30f/0x380 net/socket.c:745 _syssendto+0x685/0x830 net/socket.c:2191 _dosyssendto net/socket.c:2203 [inline] _sesyssendto net/socket.c:2199 [inline] _x64syssendto+0x125/0x1d0 net/socket.c:2199 dosyscall64+0xd5/0x1f0 entrySYSCALL64afterhwframe+0x6d/0x75
CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
{ "vanir_signatures": [ { "target": { "file": "include/net/ip_tunnels.h" }, "digest": { "threshold": 0.9, "line_hashes": [ "152431542324116889975681302578907063064", "116919276562890791172319432301024044261", "296497151252536414996305995341593021972" ] }, "deprecated": false, "id": "CVE-2024-35973-01e8b2dd", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@190d9efa5773f26d6f334b1b8be282c4fa13fd5e" }, { "target": { "file": "drivers/net/geneve.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "51929639406525693481698736154733240222", "124251408743284067486261474537401323166", "80042098101090494035236133577221027342", "335258769736570583385550538454318977472", "149085530238525255117505751335833697373", "124251408743284067486261474537401323166", "237895028516665562940556155887065559808", "321895489573994271034958723646093832599" ] }, "deprecated": false, "id": "CVE-2024-35973-07724ae7", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@357163fff3a6e48fe74745425a32071ec9caf852" }, { "target": { "file": "include/net/ip_tunnels.h" }, "digest": { "threshold": 0.9, "line_hashes": [ "152431542324116889975681302578907063064", "116919276562890791172319432301024044261", "296497151252536414996305995341593021972" ] }, "deprecated": false, "id": "CVE-2024-35973-095619f8", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a1b65d1e55d53b397cb27014208be1e04172670" }, { "target": { "file": "include/net/ip_tunnels.h" }, "digest": { "threshold": 0.9, "line_hashes": [ "152431542324116889975681302578907063064", "116919276562890791172319432301024044261", "296497151252536414996305995341593021972" ] }, "deprecated": false, "id": "CVE-2024-35973-46c434a9", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d3adf11d7993518a39bd02b383cfe657ccc0023c" }, { "target": { "file": "include/net/ip_tunnels.h" }, "digest": { "threshold": 0.9, "line_hashes": [ "152431542324116889975681302578907063064", "116919276562890791172319432301024044261", "296497151252536414996305995341593021972" ] }, "deprecated": false, "id": "CVE-2024-35973-6a7efef0", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@10204df9beda4978bd1d0c2db0d8375bfb03b915" }, { "target": { "file": "drivers/net/geneve.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "88584346375247630807782173631424113074", "124251408743284067486261474537401323166", "912980620778838493425159090093988883", "118495388067071313758294317565074503100", "149085530238525255117505751335833697373", "124251408743284067486261474537401323166", "912980620778838493425159090093988883", "59599333799318481363402393436561808878" ] }, "deprecated": false, "id": "CVE-2024-35973-86093906", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a1b65d1e55d53b397cb27014208be1e04172670" }, { "target": { "file": "drivers/net/geneve.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "88584346375247630807782173631424113074", "124251408743284067486261474537401323166", "912980620778838493425159090093988883", "118495388067071313758294317565074503100", "149085530238525255117505751335833697373", "124251408743284067486261474537401323166", "912980620778838493425159090093988883", "59599333799318481363402393436561808878" ] }, "deprecated": false, "id": "CVE-2024-35973-98906efb", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@190d9efa5773f26d6f334b1b8be282c4fa13fd5e" }, { "target": { "file": "drivers/net/geneve.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "88584346375247630807782173631424113074", "124251408743284067486261474537401323166", "912980620778838493425159090093988883", "118495388067071313758294317565074503100", "149085530238525255117505751335833697373", "124251408743284067486261474537401323166", "912980620778838493425159090093988883", "59599333799318481363402393436561808878" ] }, "deprecated": false, "id": "CVE-2024-35973-a0a513c7", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d3adf11d7993518a39bd02b383cfe657ccc0023c" }, { "target": { "file": "include/net/ip_tunnels.h" }, "digest": { "threshold": 0.9, "line_hashes": [ "152431542324116889975681302578907063064", "116919276562890791172319432301024044261", "296497151252536414996305995341593021972" ] }, "deprecated": false, "id": "CVE-2024-35973-a7872408", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@357163fff3a6e48fe74745425a32071ec9caf852" }, { "target": { "file": "drivers/net/geneve.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "88584346375247630807782173631424113074", "124251408743284067486261474537401323166", "912980620778838493425159090093988883", "118495388067071313758294317565074503100", "149085530238525255117505751335833697373", "124251408743284067486261474537401323166", "912980620778838493425159090093988883", "59599333799318481363402393436561808878" ] }, "deprecated": false, "id": "CVE-2024-35973-b654f806", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c1ae6de74e3d2d6333d29a2d3e13e6094596c79" }, { "target": { "file": "include/net/ip_tunnels.h" }, "digest": { "threshold": 0.9, "line_hashes": [ "152431542324116889975681302578907063064", "116919276562890791172319432301024044261", "296497151252536414996305995341593021972" ] }, "deprecated": false, "id": "CVE-2024-35973-bcd6a418", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d8a6213d70accb403b82924a1c229e733433a5ef" }, { "target": { "file": "include/net/ip_tunnels.h" }, "digest": { "threshold": 0.9, "line_hashes": [ "152431542324116889975681302578907063064", "116919276562890791172319432301024044261", "296497151252536414996305995341593021972" ] }, "deprecated": false, "id": "CVE-2024-35973-c22b7452", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c1ae6de74e3d2d6333d29a2d3e13e6094596c79" }, { "target": { "file": "include/net/ip_tunnels.h" }, "digest": { "threshold": 0.9, "line_hashes": [ "152431542324116889975681302578907063064", "116919276562890791172319432301024044261", "296497151252536414996305995341593021972" ] }, "deprecated": false, "id": "CVE-2024-35973-c503980d", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@43be590456e1f3566054ce78ae2dbb68cbe1a536" }, { "target": { "file": "drivers/net/geneve.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "88584346375247630807782173631424113074", "124251408743284067486261474537401323166", "912980620778838493425159090093988883", "118495388067071313758294317565074503100", "149085530238525255117505751335833697373", "124251408743284067486261474537401323166", "912980620778838493425159090093988883", "59599333799318481363402393436561808878" ] }, "deprecated": false, "id": "CVE-2024-35973-dd641637", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@10204df9beda4978bd1d0c2db0d8375bfb03b915" }, { "target": { "file": "drivers/net/geneve.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "244444314111739349723197170687643895913", "287995052878593451000530636628902086098", "912980620778838493425159090093988883", "118495388067071313758294317565074503100", "149085530238525255117505751335833697373", "124251408743284067486261474537401323166", "912980620778838493425159090093988883", "59599333799318481363402393436561808878" ] }, "deprecated": false, "id": "CVE-2024-35973-e1bc9009", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@43be590456e1f3566054ce78ae2dbb68cbe1a536" }, { "target": { "file": "drivers/net/geneve.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "51929639406525693481698736154733240222", "124251408743284067486261474537401323166", "80042098101090494035236133577221027342", "335258769736570583385550538454318977472", "149085530238525255117505751335833697373", "124251408743284067486261474537401323166", "237895028516665562940556155887065559808", "321895489573994271034958723646093832599" ] }, "deprecated": false, "id": "CVE-2024-35973-ecf5dd4c", "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d8a6213d70accb403b82924a1c229e733433a5ef" } ] }