CVE-2024-35973

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> geneve: fix header validation in geneve[6]_xmit_skb<br /> <br /> syzbot is able to trigger an uninit-value in geneve_xmit() [1]<br /> <br /> Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())<br /> uses skb_protocol(skb, true), pskb_inet_may_pull() is only using<br /> skb-&gt;protocol.<br /> <br /> If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb-&gt;protocol,<br /> pskb_inet_may_pull() does nothing at all.<br /> <br /> If a vlan tag was provided by the caller (af_packet in the syzbot case),<br /> the network header might not point to the correct location, and skb<br /> linear part could be smaller than expected.<br /> <br /> Add skb_vlan_inet_prepare() to perform a complete mac validation.<br /> <br /> Use this in geneve for the moment, I suspect we need to adopt this<br /> more broadly.<br /> <br /> v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest<br /> - Only call __vlan_get_protocol() for vlan types.<br /> <br /> v2,v3 - Addressed Sabrina comments on v1 and v2<br /> <br /> [1]<br /> <br /> BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]<br /> BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030<br /> geneve_xmit_skb drivers/net/geneve.c:910 [inline]<br /> geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030<br /> __netdev_start_xmit include/linux/netdevice.h:4903 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:4917 [inline]<br /> xmit_one net/core/dev.c:3531 [inline]<br /> dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547<br /> __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335<br /> dev_queue_xmit include/linux/netdevice.h:3091 [inline]<br /> packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276<br /> packet_snd net/packet/af_packet.c:3081 [inline]<br /> packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:745<br /> __sys_sendto+0x685/0x830 net/socket.c:2191<br /> __do_sys_sendto net/socket.c:2203 [inline]<br /> __se_sys_sendto net/socket.c:2199 [inline]<br /> __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199<br /> do_syscall_64+0xd5/0x1f0<br /> entry_SYSCALL_64_after_hwframe+0x6d/0x75<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slub.c:3804 [inline]<br /> slab_alloc_node mm/slub.c:3845 [inline]<br /> kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888<br /> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577<br /> __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668<br /> alloc_skb include/linux/skbuff.h:1318 [inline]<br /> alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504<br /> sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795<br /> packet_alloc_skb net/packet/af_packet.c:2930 [inline]<br /> packet_snd net/packet/af_packet.c:3024 [inline]<br /> packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:745<br /> __sys_sendto+0x685/0x830 net/socket.c:2191<br /> __do_sys_sendto net/socket.c:2203 [inline]<br /> __se_sys_sendto net/socket.c:2199 [inline]<br /> __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199<br /> do_syscall_64+0xd5/0x1f0<br /> entry_SYSCALL_64_after_hwframe+0x6d/0x75<br /> <br /> CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024