Bug 2272793 (CVE-2024-26665) - CVE-2024-26665 kernel: tunnels: fix out of bounds access when building IPv6 PMTU error
Summary: CVE-2024-26665 kernel: tunnels: fix out of bounds access when building IPv6 P...
Keywords:
Status: NEW
Alias: CVE-2024-26665
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2272794
Blocks: 2272924
TreeView+ depends on / blocked
 
Reported: 2024-04-02 23:16 UTC by Mauro Matteo Cascella
Modified: 2024-10-17 06:44 UTC (History)
52 users (show)

Fixed In Version: kernel 5.10.210, kernel 5.15.149, kernel 6.1.78, kernel 6.6.17, kernel 6.7.5, kernel 6.8
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:7043 0 None None None 2024-09-24 09:41:50 UTC
Red Hat Product Errata RHBA-2024:7198 0 None None None 2024-09-26 09:49:28 UTC
Red Hat Product Errata RHBA-2024:7236 0 None None None 2024-09-26 14:32:00 UTC
Red Hat Product Errata RHBA-2024:7637 0 None None None 2024-10-03 14:44:34 UTC
Red Hat Product Errata RHBA-2024:8227 0 None None None 2024-10-17 06:44:32 UTC
Red Hat Product Errata RHSA-2024:6993 0 None None None 2024-09-24 01:11:13 UTC
Red Hat Product Errata RHSA-2024:7000 0 None None None 2024-09-24 02:29:43 UTC
Red Hat Product Errata RHSA-2024:7001 0 None None None 2024-09-24 00:38:07 UTC

Description Mauro Matteo Cascella 2024-04-02 23:16:22 UTC 
In the Linux kernel, the following vulnerability has been resolved:

tunnels: fix out of bounds access when building IPv6 PMTU error

The Linux kernel CVE team has assigned CVE-2024-26665 to this issue.

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024040224-CVE-2024-26665-5daa@gregkh/T
Comment 2 Mauro Matteo Cascella 2024-04-02 23:17:05 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2272794]
Comment 6 Justin M. Forbes 2024-04-03 16:47:37 UTC 
This was fixed for Fedora with the 6.7.5 stable kernel updates.
Comment 8 gmcnealy@redhat.com 2024-06-11 18:53:49 UTC 
Comparing the RHEL8.4+kernel-4.18.0.425.3.1 kernel source code, particularly the file /net/ipv4/ip_tunnel_core.c versus the code affected by CVE-2024-26665.

Based on the document:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e77bf828f1ca1c47fcff58bdc26b60a9d3dfbe1d

The fix does the following:
------------------------------------
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index da9a55c68e11e..ba1388ba6c6e5 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -332,7 +332,7 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
    };
    skb_reset_network_header(skb);
 
-   csum = csum_partial(icmp6h, len, 0);
+   csum = skb_checksum(skb, skb_transport_offset(skb), len, 0);
    icmp6h->icmp6_cksum = csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr, len,
                          IPPROTO_ICMPV6, csum);
------------------------------------

And checking the code from RHEL8.4+kernel-4.18.0.425.3.1 kernel source code file /net/ipv4/ip_tunnel_core.c
------------------------------------
static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
{
        const struct ipv6hdr *ip6h = ipv6_hdr(skb);
        struct icmp6hdr *icmp6h;
        struct ipv6hdr *nip6h;
        struct ethhdr eh;
        int len, err;
        __wsum csum;

        if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct ipv6hdr)))
                return -EINVAL;

        skb_copy_bits(skb, skb_mac_offset(skb), &eh, ETH_HLEN);
        pskb_pull(skb, ETH_HLEN);
        skb_reset_network_header(skb);

        err = pskb_trim(skb, IPV6_MIN_MTU - sizeof(*nip6h) - sizeof(*icmp6h));
        if (err)
                return err;

        len = skb->len + sizeof(*icmp6h);
        err = skb_cow(skb, sizeof(*nip6h) + sizeof(*icmp6h) + ETH_HLEN);
        if (err)
                return err;

        icmp6h = skb_push(skb, sizeof(*icmp6h));
        *icmp6h = (struct icmp6hdr) {
                .icmp6_type             = ICMPV6_PKT_TOOBIG,
                .icmp6_code             = 0,
                .icmp6_cksum            = 0,
                .icmp6_mtu              = htonl(mtu),
        };
        skb_reset_transport_header(skb);

        nip6h = skb_push(skb, sizeof(*nip6h));
        *nip6h = (struct ipv6hdr) {
                .priority               = 0,
                .version                = 6,
                .flow_lbl               = { 0 },
                .payload_len            = htons(len),
                .nexthdr                = IPPROTO_ICMPV6,
                .hop_limit              = ip6h->hop_limit,
                .saddr                  = ip6h->daddr,
                .daddr                  = ip6h->saddr,
        };
        skb_reset_network_header(skb);

        csum = csum_partial(icmp6h, len, 0);
        icmp6h->icmp6_cksum = csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr, len,
                                              IPPROTO_ICMPV6, csum);

        skb->ip_summed = CHECKSUM_NONE;

        eth_header(skb, skb->dev, htons(eh.h_proto), eh.h_source, eh.h_dest, 0);
        skb_reset_mac_header(skb);

        return skb->len;
}
------------------------------------

The affected code appears to not be included in the RHEL8.4+kernel-4.18.0.425.3.1. Can we confirm this?
Comment 15 gmcnealy@redhat.com 2024-06-25 18:10:55 UTC 
From my part, I took on the task of researching a little more about the subject, from which I share my conclusions with you.
Reviewing RHEL8.4+kernel-4.18.0.425.3.1 kernel source code, particularly the file /net/ipv4/ip_tunnel_core.c mentioned in (CVE-2024-26665).

Checking the Makefile file, I found that the CONFIG_NET_IP_TUNNEL variable is linked to the ip_tunnel.o object.
$ cat Makefile | grep -i 'CONFIG_NET_IP_TUNNEL'
obj-$(CONFIG_NET_IP_TUNNEL) += ip_tunnel.o

By searching the CONFIG_NET_IP_TUNNEL variable in the Kernel configuration files, I was able to find that the ip_tunnelt driver is compiled as a module.

$ grep "CONFIG_NET_IP_TUNNEL=" *config | grep -i 's390x'
kernel-4.18.0-s390x.config:CONFIG_NET_IP_TUNNEL=m
kernel-4.18.0-s390x-debug.config:CONFIG_NET_IP_TUNNEL=m

Based on the above, while the module ip_tunnel is not loaded in memory, the system should not have risks, right?
Comment 135 errata-xmlrpc 2024-09-24 00:38:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:7001 https://access.redhat.com/errata/RHSA-2024:7001
Comment 136 errata-xmlrpc 2024-09-24 01:11:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:6993 https://access.redhat.com/errata/RHSA-2024:6993
Comment 137 errata-xmlrpc 2024-09-24 02:29:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:7000 https://access.redhat.com/errata/RHSA-2024:7000
Note You need to log in before you can comment on or make changes to this bug.