CVE-2024-50045

In the Linux kernel, the following vulnerability has been resolved:

netfilter: brnetfilter: fix panic with metadatadst skb

Fix a kernel panic in the brnetfilter module when sending untagged traffic via a VxLAN device. This happens during the check for fragmentation in brnfdevqueue_xmit.

It is dependent on: 1) the br_netfilter module being loaded; 2) net.bridge.bridge-nf-call-iptables set to 1; 3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port; 4) untagged frames with size higher than the VxLAN MTU forwarded/flooded

When forwarding the untagged packet to the VxLAN bridge port, before the netfilter hooks are called, brhandleegressvlantunnel is called and changes the skbdst to the tunnel dst. The tunneldst is a metadata type of dst, i.e., skbvaliddst(skb) is false, and metadata->dst.dev is NULL.

Then in the brnetfilter hooks, in brnfdevqueuexmit, there's a check for frames that needs to be fragmented: frames with higher MTU than the VxLAN device end up calling brnfipfragment, which in turns call ipskbdst_mtu.

The ipdstmtu tries to use the skb_dst(skb) as if it was a valid dst with valid dst->dev, thus the crash.

This case was never supported in the first place, so drop the packet instead.

PING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data. [ 176.291791] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000110 [ 176.292101] Mem abort info: [ 176.292184] ESR = 0x0000000096000004 [ 176.292322] EC = 0x25: DABT (current EL), IL = 32 bits [ 176.292530] SET = 0, FnV = 0 [ 176.292709] EA = 0, S1PTW = 0 [ 176.292862] FSC = 0x04: level 0 translation fault [ 176.293013] Data abort info: [ 176.293104] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 176.293488] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 176.293787] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000 [ 176.294166] [0000000000000110] pgd=0000000000000000, p4d=0000000000000000 [ 176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 176.295252] Modules linked in: vxlan ip6udptunnel udptunnel veth brnetfilter bridge stp llc ipv6 crct10difce [ 176.295923] CPU: 0 PID: 188 Comm: ping Not tainted 6.8.0-rc3-g5b3fbd61b9d1 #2 [ 176.296314] Hardware name: linux,dummy-virt (DT) [ 176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 176.296808] pc : brnfdevqueuexmit+0x390/0x4ec [brnetfilter] [ 176.297382] lr : brnfdevqueuexmit+0x2ac/0x4ec [brnetfilter] [ 176.297636] sp : ffff800080003630 [ 176.297743] x29: ffff800080003630 x28: 0000000000000008 x27: ffff6828c49ad9f8 [ 176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24: 00000000000003e8 [ 176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21: ffff6828c3b16d28 [ 176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18: 0000000000000014 [ 176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15: 0000000095744632 [ 176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12: ffffb7e137926a70 [ 176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 : 0000000000000000 [ 176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 : f20e0100bebafeca [ 176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 : 0000000000000000 [ 176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 : ffff6828c7f918f0 [ 176.300889] Call trace: [ 176.301123] brnfdevqueuexmit+0x390/0x4ec [brnetfilter] [ 176.301411] brnfpostrouting+0x2a8/0x3e4 [brnetfilter] [ 176.301703] nfhookslow+0x48/0x124 [ 176.302060] brforwardfinish+0xc8/0xe8 [bridge] [ 176.302371] brnfhookthresh+0x124/0x134 [brnetfilter] [ 176.302605] brnfforwardfinish+0x118/0x22c [brnetfilter] [ 176.302824] brnfforwardip.part.0+0x264/0x290 [brnetfilter] [ 176.303136] brnfforward+0x2b8/0x4e0 [brnetfilter] [ 176.303359] nfhook_slow+0x48/0x124 [ 176.303 ---truncated---