CVE-2024-56639

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hsr: must allocate more bytes for RedBox support<br /> <br /> Blamed commit forgot to change hsr_init_skb() to allocate<br /> larger skb for RedBox case.<br /> <br /> Indeed, send_hsr_supervision_frame() will add<br /> two additional components (struct hsr_sup_tlv<br /> and struct hsr_sup_payload)<br /> <br /> syzbot reported the following crash:<br /> skbuff: skb_over_panic: text:ffffffff8afd4b0a len:34 put:6 head:ffff88802ad29e00 data:ffff88802ad29f22 tail:0x144 end:0x140 dev:gretap0<br /> ------------[ cut here ]------------<br /> kernel BUG at net/core/skbuff.c:206 !<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> CPU: 2 UID: 0 PID: 7611 Comm: syz-executor Not tainted 6.12.0-syzkaller #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> RIP: 0010:skb_panic+0x157/0x1d0 net/core/skbuff.c:206<br /> Code: b6 04 01 84 c0 74 04 3c 03 7e 21 8b 4b 70 41 56 45 89 e8 48 c7 c7 a0 7d 9b 8c 41 57 56 48 89 ee 52 4c 89 e2 e8 9a 76 79 f8 90 0b 4c 89 4c 24 10 48 89 54 24 08 48 89 34 24 e8 94 76 fb f8 4c<br /> RSP: 0018:ffffc90000858ab8 EFLAGS: 00010282<br /> RAX: 0000000000000087 RBX: ffff8880598c08c0 RCX: ffffffff816d3e69<br /> RDX: 0000000000000000 RSI: ffffffff816de786 RDI: 0000000000000005<br /> RBP: ffffffff8c9b91c0 R08: 0000000000000005 R09: 0000000000000000<br /> R10: 0000000000000302 R11: ffffffff961cc1d0 R12: ffffffff8afd4b0a<br /> R13: 0000000000000006 R14: ffff88804b938130 R15: 0000000000000140<br /> FS: 000055558a3d6500(0000) GS:ffff88806a800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f1295974ff8 CR3: 000000002ab6e000 CR4: 0000000000352ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> skb_over_panic net/core/skbuff.c:211 [inline]<br /> skb_put+0x174/0x1b0 net/core/skbuff.c:2617<br /> send_hsr_supervision_frame+0x6fa/0x9e0 net/hsr/hsr_device.c:342<br /> hsr_proxy_announce+0x1a3/0x4a0 net/hsr/hsr_device.c:436<br /> call_timer_fn+0x1a0/0x610 kernel/time/timer.c:1794<br /> expire_timers kernel/time/timer.c:1845 [inline]<br /> __run_timers+0x6e8/0x930 kernel/time/timer.c:2419<br /> __run_timer_base kernel/time/timer.c:2430 [inline]<br /> __run_timer_base kernel/time/timer.c:2423 [inline]<br /> run_timer_base+0x111/0x190 kernel/time/timer.c:2439<br /> run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2449<br /> handle_softirqs+0x213/0x8f0 kernel/softirq.c:554<br /> __do_softirq kernel/softirq.c:588 [inline]<br /> invoke_softirq kernel/softirq.c:428 [inline]<br /> __irq_exit_rcu kernel/softirq.c:637 [inline]<br /> irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649<br /> instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]<br /> sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049<br />