CVE-2024-26882

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()<br /> <br /> Apply the same fix than ones found in :<br /> <br /> 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")<br /> 1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()")<br /> <br /> We have to save skb-&gt;network_header in a temporary variable<br /> in order to be able to recompute the network_header pointer<br /> after a pskb_inet_may_pull() call.<br /> <br /> pskb_inet_may_pull() makes sure the needed headers are in skb-&gt;head.<br /> <br /> syzbot reported:<br /> BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]<br /> BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]<br /> BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]<br /> BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409<br /> __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]<br /> INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]<br /> IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]<br /> ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409<br /> __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389<br /> ipgre_rcv net/ipv4/ip_gre.c:411 [inline]<br /> gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447<br /> gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163<br /> ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205<br /> ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233<br /> NF_HOOK include/linux/netfilter.h:314 [inline]<br /> ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254<br /> dst_input include/net/dst.h:461 [inline]<br /> ip_rcv_finish net/ipv4/ip_input.c:449 [inline]<br /> NF_HOOK include/linux/netfilter.h:314 [inline]<br /> ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569<br /> __netif_receive_skb_one_core net/core/dev.c:5534 [inline]<br /> __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648<br /> netif_receive_skb_internal net/core/dev.c:5734 [inline]<br /> netif_receive_skb+0x58/0x660 net/core/dev.c:5793<br /> tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556<br /> tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009<br /> tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055<br /> call_write_iter include/linux/fs.h:2087 [inline]<br /> new_sync_write fs/read_write.c:497 [inline]<br /> vfs_write+0xb6b/0x1520 fs/read_write.c:590<br /> ksys_write+0x20f/0x4c0 fs/read_write.c:643<br /> __do_sys_write fs/read_write.c:655 [inline]<br /> __se_sys_write fs/read_write.c:652 [inline]<br /> __x64_sys_write+0x93/0xd0 fs/read_write.c:652<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> Uninit was created at:<br /> __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590<br /> alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133<br /> alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204<br /> skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909<br /> tun_build_skb drivers/net/tun.c:1686 [inline]<br /> tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826<br /> tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055<br /> call_write_iter include/linux/fs.h:2087 [inline]<br /> new_sync_write fs/read_write.c:497 [inline]<br /> vfs_write+0xb6b/0x1520 fs/read_write.c:590<br /> ksys_write+0x20f/0x4c0 fs/read_write.c:643<br /> __do_sys_write fs/read_write.c:655 [inline]<br /> __se_sys_write fs/read_write.c:652 [inline]<br /> __x64_sys_write+0x93/0xd0 fs/read_write.c:652<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b