CVE-2024-26815 allocated

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

4 files changed, 252 insertions, 0 deletions

diff --git a/cve/reserved/2024/CVE-2024-26815 b/cve/published/2024/CVE-2024-26815
index e69de29b..e69de29b 100644
--- a/cve/reserved/2024/CVE-2024-26815
+++ b/cve/published/2024/CVE-2024-26815
diff --git a/cve/published/2024/CVE-2024-26815.json b/cve/published/2024/CVE-2024-26815.json
new file mode 100644
index 00000000..a5b12515
--- /dev/null
+++ b/cve/published/2024/CVE-2024-26815.json
@@ -0,0 +1,133 @@
+{
+   "containers": {
+      "cna": {
+         "providerMetadata": {
+            "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
+         },
+         "descriptions": [
+            {
+               "lang": "en",
+               "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check\n\ntaprio_parse_tc_entry() is not correctly checking\nTCA_TAPRIO_TC_ENTRY_INDEX attribute:\n\n\tint tc; // Signed value\n\n\ttc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]);\n\tif (tc >= TC_QOPT_MAX_QUEUE) {\n\t\tNL_SET_ERR_MSG_MOD(extack, \"TC entry index out of range\");\n\t\treturn -ERANGE;\n\t}\n\nsyzbot reported that it could fed arbitary negative values:\n\nUBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1722:18\nshift exponent -2147418108 is negative\nCPU: 0 PID: 5066 Comm: syz-executor367 Not tainted 6.8.0-rc7-syzkaller-00136-gc8a5c731fd12 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\n  ubsan_epilogue lib/ubsan.c:217 [inline]\n  __ubsan_handle_shift_out_of_bounds+0x3c7/0x420 lib/ubsan.c:386\n  taprio_parse_tc_entry net/sched/sch_taprio.c:1722 [inline]\n  taprio_parse_tc_entries net/sched/sch_taprio.c:1768 [inline]\n  taprio_change+0xb87/0x57d0 net/sched/sch_taprio.c:1877\n  taprio_init+0x9da/0xc80 net/sched/sch_taprio.c:2134\n  qdisc_create+0x9d4/0x1190 net/sched/sch_api.c:1355\n  tc_modify_qdisc+0xa26/0x1e40 net/sched/sch_api.c:1776\n  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6617\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n  ___sys_sendmsg net/socket.c:2638 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f1b2dea3759\nCode: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd4de452f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f1b2def0390 RCX: 00007f1b2dea3759\nRDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004\nRBP: 0000000000000003 R08: 0000555500000000 R09: 0000555500000000\nR10: 0000555500000000 R11: 0000000000000246 R12: 00007ffd4de45340\nR13: 00007ffd4de45310 R14: 0000000000000001 R15: 00007ffd4de45340"
+            }
+         ],
+         "affected": [
+            {
+               "product": "Linux",
+               "vendor": "Linux",
+               "defaultStatus": "unaffected",
+               "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
+               "versions": [
+                  {
+                     "version": "a54fc09e4cba",
+                     "lessThan": "bd2474a45df7",
+                     "status": "affected",
+                     "versionType": "git"
+                  },
+                  {
+                     "version": "a54fc09e4cba",
+                     "lessThan": "6915b1b28fe5",
+                     "status": "affected",
+                     "versionType": "git"
+                  },
+                  {
+                     "version": "a54fc09e4cba",
+                     "lessThan": "860e838fb089",
+                     "status": "affected",
+                     "versionType": "git"
+                  },
+                  {
+                     "version": "a54fc09e4cba",
+                     "lessThan": "9b720bb1a69a",
+                     "status": "affected",
+                     "versionType": "git"
+                  },
+                  {
+                     "version": "a54fc09e4cba",
+                     "lessThan": "343041b59b78",
+                     "status": "affected",
+                     "versionType": "git"
+                  }
+               ]
+            },
+            {
+               "product": "Linux",
+               "vendor": "Linux",
+               "defaultStatus": "affected",
+               "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
+               "versions": [
+                  {
+                     "version": "6.1",
+                     "status": "affected"
+                  },
+                  {
+                     "version": "0",
+                     "lessThan": "6.1",
+                     "status": "unaffected",
+                     "versionType": "custom"
+                  },
+                  {
+                     "version": "6.1.83",
+                     "lessThanOrEqual": "6.1.*",
+                     "status": "unaffected",
+                     "versionType": "custom"
+                  },
+                  {
+                     "version": "6.6.23",
+                     "lessThanOrEqual": "6.6.*",
+                     "status": "unaffected",
+                     "versionType": "custom"
+                  },
+                  {
+                     "version": "6.7.11",
+                     "lessThanOrEqual": "6.7.*",
+                     "status": "unaffected",
+                     "versionType": "custom"
+                  },
+                  {
+                     "version": "6.8.2",
+                     "lessThanOrEqual": "6.8.*",
+                     "status": "unaffected",
+                     "versionType": "custom"
+                  },
+                  {
+                     "version": "6.9-rc1",
+                     "lessThanOrEqual": "*",
+                     "status": "unaffected",
+                     "versionType": "original_commit_for_fix"
+                  }
+               ]
+            }
+         ],
+         "references": [
+            {
+               "url": "https://git.kernel.org/stable/c/bd2474a45df7c11412c2587de3d4e43760531418"
+            },
+            {
+               "url": "https://git.kernel.org/stable/c/6915b1b28fe57e92c78e664366dc61c4f15ff03b"
+            },
+            {
+               "url": "https://git.kernel.org/stable/c/860e838fb089d652a446ced52cbdf051285b68e7"
+            },
+            {
+               "url": "https://git.kernel.org/stable/c/9b720bb1a69a9f12a4a5c86b6f89386fe05ed0f2"
+            },
+            {
+               "url": "https://git.kernel.org/stable/c/343041b59b7810f9cdca371f445dd43b35c740b1"
+            }
+         ],
+         "title": "net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check",
+         "x_generator": {
+            "engine": "bippy-d175d3acf727"
+         }
+      }
+   },
+   "cveMetadata": {
+      "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
+      "cveID": "CVE-2024-26815",
+      "requesterUserId": "gregkh@kernel.org",
+      "serial": "1",
+      "state": "PUBLISHED"
+   },
+   "dataType": "CVE_RECORD",
+   "dataVersion": "5.0"
+}
diff --git a/cve/published/2024/CVE-2024-26815.mbox b/cve/published/2024/CVE-2024-26815.mbox
new file mode 100644
index 00000000..afba19c4
--- /dev/null
+++ b/cve/published/2024/CVE-2024-26815.mbox
@@ -0,0 +1,118 @@
+From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+To: <linux-cve-announce@vger.kernel.org>
+Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
+Subject: CVE-2024-26815: net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check
+Message-Id: <2024041006-CVE-2024-26815-7f4e@gregkh>
+Content-Length: 4526
+Lines: 101
+X-Developer-Signature: v=1; a=openpgp-sha256; l=4628;
+ i=gregkh@linuxfoundation.org; h=from:subject:message-id;
+ bh=u43zagPQUo1mLf3DaD2zFeUefE1SgcSRl5SMAUCKK/Y=;
+ b=owGbwMvMwCRo6H6F97bub03G02pJDGliRbcLQjxFJsivX3FkQrzFPUvuf79233/1g+NURd3F7
+ 4a1pxzlO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiMpUMc8VL0xv8/p78dVLz
+ +gmfepXrPXmajxnmh83MjtXYYL+wt87I51mMkF7LibNHAA==
+X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp;
+ fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29
+
+Description
+===========
+
+In the Linux kernel, the following vulnerability has been resolved:
+
+net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check
+
+taprio_parse_tc_entry() is not correctly checking
+TCA_TAPRIO_TC_ENTRY_INDEX attribute:
+
+	int tc; // Signed value
+
+	tc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]);
+	if (tc >= TC_QOPT_MAX_QUEUE) {
+		NL_SET_ERR_MSG_MOD(extack, "TC entry index out of range");
+		return -ERANGE;
+	}
+
+syzbot reported that it could fed arbitary negative values:
+
+UBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1722:18
+shift exponent -2147418108 is negative
+CPU: 0 PID: 5066 Comm: syz-executor367 Not tainted 6.8.0-rc7-syzkaller-00136-gc8a5c731fd12 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
+Call Trace:
+ <TASK>
+  __dump_stack lib/dump_stack.c:88 [inline]
+  dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
+  ubsan_epilogue lib/ubsan.c:217 [inline]
+  __ubsan_handle_shift_out_of_bounds+0x3c7/0x420 lib/ubsan.c:386
+  taprio_parse_tc_entry net/sched/sch_taprio.c:1722 [inline]
+  taprio_parse_tc_entries net/sched/sch_taprio.c:1768 [inline]
+  taprio_change+0xb87/0x57d0 net/sched/sch_taprio.c:1877
+  taprio_init+0x9da/0xc80 net/sched/sch_taprio.c:2134
+  qdisc_create+0x9d4/0x1190 net/sched/sch_api.c:1355
+  tc_modify_qdisc+0xa26/0x1e40 net/sched/sch_api.c:1776
+  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6617
+  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
+  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
+  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
+  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
+  sock_sendmsg_nosec net/socket.c:730 [inline]
+  __sock_sendmsg+0x221/0x270 net/socket.c:745
+  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
+  ___sys_sendmsg net/socket.c:2638 [inline]
+  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
+ do_syscall_64+0xf9/0x240
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+RIP: 0033:0x7f1b2dea3759
+Code: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffd4de452f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f1b2def0390 RCX: 00007f1b2dea3759
+RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004
+RBP: 0000000000000003 R08: 0000555500000000 R09: 0000555500000000
+R10: 0000555500000000 R11: 0000000000000246 R12: 00007ffd4de45340
+R13: 00007ffd4de45310 R14: 0000000000000001 R15: 00007ffd4de45340
+
+The Linux kernel CVE team has assigned CVE-2024-26815 to this issue.
+
+
+Affected and fixed versions
+===========================
+
+	Issue introduced in 6.1 with commit a54fc09e4cba and fixed in 6.1.83 with commit bd2474a45df7
+	Issue introduced in 6.1 with commit a54fc09e4cba and fixed in 6.6.23 with commit 6915b1b28fe5
+	Issue introduced in 6.1 with commit a54fc09e4cba and fixed in 6.7.11 with commit 860e838fb089
+	Issue introduced in 6.1 with commit a54fc09e4cba and fixed in 6.8.2 with commit 9b720bb1a69a
+	Issue introduced in 6.1 with commit a54fc09e4cba and fixed in 6.9-rc1 with commit 343041b59b78
+
+Please see https://www.kernel.org for a full list of currently supported
+kernel versions by the kernel community.
+
+Unaffected versions might change over time as fixes are backported to
+older supported kernel versions.  The official CVE entry at
+	https://cve.org/CVERecord/?id=CVE-2024-26815
+will be updated if fixes are backported, please check that for the most
+up to date information about this issue.
+
+
+Affected files
+==============
+
+The file(s) affected by this issue are:
+	net/sched/sch_taprio.c
+
+
+Mitigation
+==========
+
+The Linux kernel CVE team recommends that you update to the latest
+stable kernel version for this, and many other bugfixes.  Individual
+changes are never tested alone, but rather are part of a larger kernel
+release.  Cherry-picking individual commits is not recommended or
+supported by the Linux kernel community at all.  If however, updating to
+the latest release is impossible, the individual changes to resolve this
+issue can be found at these commits:
+	https://git.kernel.org/stable/c/bd2474a45df7c11412c2587de3d4e43760531418
+	https://git.kernel.org/stable/c/6915b1b28fe57e92c78e664366dc61c4f15ff03b
+	https://git.kernel.org/stable/c/860e838fb089d652a446ced52cbdf051285b68e7
+	https://git.kernel.org/stable/c/9b720bb1a69a9f12a4a5c86b6f89386fe05ed0f2
+	https://git.kernel.org/stable/c/343041b59b7810f9cdca371f445dd43b35c740b1
diff --git a/cve/published/2024/CVE-2024-26815.sha1 b/cve/published/2024/CVE-2024-26815.sha1
new file mode 100644
index 00000000..9ec487ac
--- /dev/null
+++ b/cve/published/2024/CVE-2024-26815.sha1
@@ -0,0 +1 @@
+343041b59b7810f9cdca371f445dd43b35c740b1