DEBIAN-CVE-2024-35973

In the Linux kernel, the following vulnerability has been resolved: geneve: fix header validation in geneve[6]xmitskb syzbot is able to trigger an uninit-value in genevexmit() [1] Problem : While most ip tunnel helpers (like iptunnelgetdsfield()) uses skbprotocol(skb, true), pskbinetmaypull() is only using skb->protocol. If anything else than ETHPIPV6 or ETHPIP is found in skb->protocol, pskbinetmaypull() does nothing at all. If a vlan tag was provided by the caller (afpacket in the syzbot case), the network header might not point to the correct location, and skb linear part could be smaller than expected. Add skbvlaninetprepare() to perform a complete mac validation. Use this in geneve for the moment, I suspect we need to adopt this more broadly. v4 - Jakub reported v3 broke l2tosttlinherit.sh selftest - Only call _vlangetprotocol() for vlan types. v2,v3 - Addressed Sabrina comments on v1 and v2 [1] BUG: KMSAN: uninit-value in genevexmitskb drivers/net/geneve.c:910 [inline] BUG: KMSAN: uninit-value in genevexmit+0x302d/0x5420 drivers/net/geneve.c:1030 genevexmitskb drivers/net/geneve.c:910 [inline] genevexmit+0x302d/0x5420 drivers/net/geneve.c:1030 _netdevstartxmit include/linux/netdevice.h:4903 [inline] netdevstartxmit include/linux/netdevice.h:4917 [inline] xmitone net/core/dev.c:3531 [inline] devhardstartxmit+0x247/0xa20 net/core/dev.c:3547 _devqueuexmit+0x348d/0x52c0 net/core/dev.c:4335 devqueuexmit include/linux/netdevice.h:3091 [inline] packetxmit+0x9c/0x6c0 net/packet/afpacket.c:276 packetsnd net/packet/afpacket.c:3081 [inline] packetsendmsg+0x8bb0/0x9ef0 net/packet/afpacket.c:3113 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0x30f/0x380 net/socket.c:745 _syssendto+0x685/0x830 net/socket.c:2191 _dosyssendto net/socket.c:2203 [inline] _sesyssendto net/socket.c:2199 [inline] _x64syssendto+0x125/0x1d0 net/socket.c:2199 dosyscall64+0xd5/0x1f0 entrySYSCALL64afterhwframe+0x6d/0x75 Uninit was created at: slabpostallochook mm/slub.c:3804 [inline] slaballocnode mm/slub.c:3845 [inline] kmemcacheallocnode+0x613/0xc50 mm/slub.c:3888 kmallocreserve+0x13d/0x4a0 net/core/skbuff.c:577 _allocskb+0x35b/0x7a0 net/core/skbuff.c:668 allocskb include/linux/skbuff.h:1318 [inline] allocskbwithfrags+0xc8/0xbf0 net/core/skbuff.c:6504 sockallocsendpskb+0xa81/0xbf0 net/core/sock.c:2795 packetallocskb net/packet/afpacket.c:2930 [inline] packetsnd net/packet/afpacket.c:3024 [inline] packetsendmsg+0x722d/0x9ef0 net/packet/afpacket.c:3113 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0x30f/0x380 net/socket.c:745 _syssendto+0x685/0x830 net/socket.c:2191 _dosyssendto net/socket.c:2203 [inline] _sesyssendto net/socket.c:2199 [inline] _x64syssendto+0x125/0x1d0 net/socket.c:2199 dosyscall64+0xd5/0x1f0 entrySYSCALL64afterhwframe+0x6d/0x75 CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024