Bug 2272793 (CVE-2024-26665)
| Summary: | CVE-2024-26665 kernel: tunnels: fix out of bounds access when building IPv6 PMTU error | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acaringi, allarkin, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, gmcnealy, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, sidakwo, sukulkar, tglozar, tyberry, vkumar, vsroka, wcosta, williams, wmealing, ycote, ykopkova, zhijwang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kernel 5.10.210, kernel 5.15.149, kernel 6.1.78, kernel 6.6.17, kernel 6.7.5, kernel 6.8 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Linux kernel. This issue occurs due to the improper handling of non-linear skbs (socket buffers) when calculating checksums for ICMPv6 PMTU error messages. This vulnerability can lead to out-of-bounds access, potentially causing memory corruption or crashes.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2272794 | ||
| Bug Blocks: | 2272924 | ||
|
Description
Mauro Matteo Cascella
2024-04-02 23:16:22 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2272794] This was fixed for Fedora with the 6.7.5 stable kernel updates. Comparing the RHEL8.4+kernel-4.18.0.425.3.1 kernel source code, particularly the file /net/ipv4/ip_tunnel_core.c versus the code affected by CVE-2024-26665. Based on the document: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e77bf828f1ca1c47fcff58bdc26b60a9d3dfbe1d The fix does the following: ------------------------------------ diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c index da9a55c68e11e..ba1388ba6c6e5 100644 --- a/net/ipv4/ip_tunnel_core.c +++ b/net/ipv4/ip_tunnel_core.c @@ -332,7 +332,7 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu) }; skb_reset_network_header(skb); - csum = csum_partial(icmp6h, len, 0); + csum = skb_checksum(skb, skb_transport_offset(skb), len, 0); icmp6h->icmp6_cksum = csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr, len, IPPROTO_ICMPV6, csum); ------------------------------------ And checking the code from RHEL8.4+kernel-4.18.0.425.3.1 kernel source code file /net/ipv4/ip_tunnel_core.c ------------------------------------ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu) { const struct ipv6hdr *ip6h = ipv6_hdr(skb); struct icmp6hdr *icmp6h; struct ipv6hdr *nip6h; struct ethhdr eh; int len, err; __wsum csum; if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct ipv6hdr))) return -EINVAL; skb_copy_bits(skb, skb_mac_offset(skb), &eh, ETH_HLEN); pskb_pull(skb, ETH_HLEN); skb_reset_network_header(skb); err = pskb_trim(skb, IPV6_MIN_MTU - sizeof(*nip6h) - sizeof(*icmp6h)); if (err) return err; len = skb->len + sizeof(*icmp6h); err = skb_cow(skb, sizeof(*nip6h) + sizeof(*icmp6h) + ETH_HLEN); if (err) return err; icmp6h = skb_push(skb, sizeof(*icmp6h)); *icmp6h = (struct icmp6hdr) { .icmp6_type = ICMPV6_PKT_TOOBIG, .icmp6_code = 0, .icmp6_cksum = 0, .icmp6_mtu = htonl(mtu), }; skb_reset_transport_header(skb); nip6h = skb_push(skb, sizeof(*nip6h)); *nip6h = (struct ipv6hdr) { .priority = 0, .version = 6, .flow_lbl = { 0 }, .payload_len = htons(len), .nexthdr = IPPROTO_ICMPV6, .hop_limit = ip6h->hop_limit, .saddr = ip6h->daddr, .daddr = ip6h->saddr, }; skb_reset_network_header(skb); csum = csum_partial(icmp6h, len, 0); icmp6h->icmp6_cksum = csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr, len, IPPROTO_ICMPV6, csum); skb->ip_summed = CHECKSUM_NONE; eth_header(skb, skb->dev, htons(eh.h_proto), eh.h_source, eh.h_dest, 0); skb_reset_mac_header(skb); return skb->len; } ------------------------------------ The affected code appears to not be included in the RHEL8.4+kernel-4.18.0.425.3.1. Can we confirm this? From my part, I took on the task of researching a little more about the subject, from which I share my conclusions with you. Reviewing RHEL8.4+kernel-4.18.0.425.3.1 kernel source code, particularly the file /net/ipv4/ip_tunnel_core.c mentioned in (CVE-2024-26665). Checking the Makefile file, I found that the CONFIG_NET_IP_TUNNEL variable is linked to the ip_tunnel.o object. $ cat Makefile | grep -i 'CONFIG_NET_IP_TUNNEL' obj-$(CONFIG_NET_IP_TUNNEL) += ip_tunnel.o By searching the CONFIG_NET_IP_TUNNEL variable in the Kernel configuration files, I was able to find that the ip_tunnelt driver is compiled as a module. $ grep "CONFIG_NET_IP_TUNNEL=" *config | grep -i 's390x' kernel-4.18.0-s390x.config:CONFIG_NET_IP_TUNNEL=m kernel-4.18.0-s390x-debug.config:CONFIG_NET_IP_TUNNEL=m Based on the above, while the module ip_tunnel is not loaded in memory, the system should not have risks, right? This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:7001 https://access.redhat.com/errata/RHSA-2024:7001 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:6993 https://access.redhat.com/errata/RHSA-2024:6993 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:7000 https://access.redhat.com/errata/RHSA-2024:7000 |