diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-10 13:07:17 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-10 13:07:17 +0200 |
commit | fe535e033c26ee9e723effaee3de82315e3dbeb0 (patch) | |
tree | 26d19875c9e0d12e871ecb9812f5e35d8bcd2ad3 | |
parent | ba94d6c76e31a3dd446b6475b9604fa6e2a10473 (diff) | |
download | vulns-fe535e033c26ee9e723effaee3de82315e3dbeb0.tar.gz |
CVE-2024-26815 allocated
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | cve/published/2024/CVE-2024-26815 (renamed from cve/reserved/2024/CVE-2024-26815) | 0 | ||||
-rw-r--r-- | cve/published/2024/CVE-2024-26815.json | 133 | ||||
-rw-r--r-- | cve/published/2024/CVE-2024-26815.mbox | 118 | ||||
-rw-r--r-- | cve/published/2024/CVE-2024-26815.sha1 | 1 |
4 files changed, 252 insertions, 0 deletions
diff --git a/cve/reserved/2024/CVE-2024-26815 b/cve/published/2024/CVE-2024-26815 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26815 +++ b/cve/published/2024/CVE-2024-26815 diff --git a/cve/published/2024/CVE-2024-26815.json b/cve/published/2024/CVE-2024-26815.json new file mode 100644 index 00000000..a5b12515 --- /dev/null +++ b/cve/published/2024/CVE-2024-26815.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check\n\ntaprio_parse_tc_entry() is not correctly checking\nTCA_TAPRIO_TC_ENTRY_INDEX attribute:\n\n\tint tc; // Signed value\n\n\ttc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]);\n\tif (tc >= TC_QOPT_MAX_QUEUE) {\n\t\tNL_SET_ERR_MSG_MOD(extack, \"TC entry index out of range\");\n\t\treturn -ERANGE;\n\t}\n\nsyzbot reported that it could fed arbitary negative values:\n\nUBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1722:18\nshift exponent -2147418108 is negative\nCPU: 0 PID: 5066 Comm: syz-executor367 Not tainted 6.8.0-rc7-syzkaller-00136-gc8a5c731fd12 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_shift_out_of_bounds+0x3c7/0x420 lib/ubsan.c:386\n taprio_parse_tc_entry net/sched/sch_taprio.c:1722 [inline]\n taprio_parse_tc_entries net/sched/sch_taprio.c:1768 [inline]\n taprio_change+0xb87/0x57d0 net/sched/sch_taprio.c:1877\n taprio_init+0x9da/0xc80 net/sched/sch_taprio.c:2134\n qdisc_create+0x9d4/0x1190 net/sched/sch_api.c:1355\n tc_modify_qdisc+0xa26/0x1e40 net/sched/sch_api.c:1776\n rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6617\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f1b2dea3759\nCode: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd4de452f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f1b2def0390 RCX: 00007f1b2dea3759\nRDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004\nRBP: 0000000000000003 R08: 0000555500000000 R09: 0000555500000000\nR10: 0000555500000000 R11: 0000000000000246 R12: 00007ffd4de45340\nR13: 00007ffd4de45310 R14: 0000000000000001 R15: 00007ffd4de45340" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "a54fc09e4cba", + "lessThan": "bd2474a45df7", + "status": "affected", + "versionType": "git" + }, + { + "version": "a54fc09e4cba", + "lessThan": "6915b1b28fe5", + "status": "affected", + "versionType": "git" + }, + { + "version": "a54fc09e4cba", + "lessThan": "860e838fb089", + "status": "affected", + "versionType": "git" + }, + { + "version": "a54fc09e4cba", + "lessThan": "9b720bb1a69a", + "status": "affected", + "versionType": "git" + }, + { + "version": "a54fc09e4cba", + "lessThan": "343041b59b78", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.1", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.1", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.83", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.23", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.11", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.2", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc1", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/bd2474a45df7c11412c2587de3d4e43760531418" + }, + { + "url": "https://git.kernel.org/stable/c/6915b1b28fe57e92c78e664366dc61c4f15ff03b" + }, + { + "url": "https://git.kernel.org/stable/c/860e838fb089d652a446ced52cbdf051285b68e7" + }, + { + "url": "https://git.kernel.org/stable/c/9b720bb1a69a9f12a4a5c86b6f89386fe05ed0f2" + }, + { + "url": "https://git.kernel.org/stable/c/343041b59b7810f9cdca371f445dd43b35c740b1" + } + ], + "title": "net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26815", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26815.mbox b/cve/published/2024/CVE-2024-26815.mbox new file mode 100644 index 00000000..afba19c4 --- /dev/null +++ b/cve/published/2024/CVE-2024-26815.mbox @@ -0,0 +1,118 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26815: net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check +Message-Id: <2024041006-CVE-2024-26815-7f4e@gregkh> +Content-Length: 4526 +Lines: 101 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4628; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=u43zagPQUo1mLf3DaD2zFeUefE1SgcSRl5SMAUCKK/Y=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliRbcLQjxFJsivX3FkQrzFPUvuf79233/1g+NURd3F7 + 4a1pxzlO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiMpUMc8VL0xv8/p78dVLz + +gmfepXrPXmajxnmh83MjtXYYL+wt87I51mMkF7LibNHAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check + +taprio_parse_tc_entry() is not correctly checking +TCA_TAPRIO_TC_ENTRY_INDEX attribute: + + int tc; // Signed value + + tc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]); + if (tc >= TC_QOPT_MAX_QUEUE) { + NL_SET_ERR_MSG_MOD(extack, "TC entry index out of range"); + return -ERANGE; + } + +syzbot reported that it could fed arbitary negative values: + +UBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1722:18 +shift exponent -2147418108 is negative +CPU: 0 PID: 5066 Comm: syz-executor367 Not tainted 6.8.0-rc7-syzkaller-00136-gc8a5c731fd12 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 +Call Trace: + <TASK> + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:217 [inline] + __ubsan_handle_shift_out_of_bounds+0x3c7/0x420 lib/ubsan.c:386 + taprio_parse_tc_entry net/sched/sch_taprio.c:1722 [inline] + taprio_parse_tc_entries net/sched/sch_taprio.c:1768 [inline] + taprio_change+0xb87/0x57d0 net/sched/sch_taprio.c:1877 + taprio_init+0x9da/0xc80 net/sched/sch_taprio.c:2134 + qdisc_create+0x9d4/0x1190 net/sched/sch_api.c:1355 + tc_modify_qdisc+0xa26/0x1e40 net/sched/sch_api.c:1776 + rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6617 + netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 + netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] + netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 + netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:745 + ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 + ___sys_sendmsg net/socket.c:2638 [inline] + __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 + do_syscall_64+0xf9/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 +RIP: 0033:0x7f1b2dea3759 +Code: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffd4de452f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f1b2def0390 RCX: 00007f1b2dea3759 +RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004 +RBP: 0000000000000003 R08: 0000555500000000 R09: 0000555500000000 +R10: 0000555500000000 R11: 0000000000000246 R12: 00007ffd4de45340 +R13: 00007ffd4de45310 R14: 0000000000000001 R15: 00007ffd4de45340 + +The Linux kernel CVE team has assigned CVE-2024-26815 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.1 with commit a54fc09e4cba and fixed in 6.1.83 with commit bd2474a45df7 + Issue introduced in 6.1 with commit a54fc09e4cba and fixed in 6.6.23 with commit 6915b1b28fe5 + Issue introduced in 6.1 with commit a54fc09e4cba and fixed in 6.7.11 with commit 860e838fb089 + Issue introduced in 6.1 with commit a54fc09e4cba and fixed in 6.8.2 with commit 9b720bb1a69a + Issue introduced in 6.1 with commit a54fc09e4cba and fixed in 6.9-rc1 with commit 343041b59b78 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26815 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/sched/sch_taprio.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/bd2474a45df7c11412c2587de3d4e43760531418 + https://git.kernel.org/stable/c/6915b1b28fe57e92c78e664366dc61c4f15ff03b + https://git.kernel.org/stable/c/860e838fb089d652a446ced52cbdf051285b68e7 + https://git.kernel.org/stable/c/9b720bb1a69a9f12a4a5c86b6f89386fe05ed0f2 + https://git.kernel.org/stable/c/343041b59b7810f9cdca371f445dd43b35c740b1 diff --git a/cve/published/2024/CVE-2024-26815.sha1 b/cve/published/2024/CVE-2024-26815.sha1 new file mode 100644 index 00000000..9ec487ac --- /dev/null +++ b/cve/published/2024/CVE-2024-26815.sha1 @@ -0,0 +1 @@ +343041b59b7810f9cdca371f445dd43b35c740b1 |