The 2nd patch fixes CVE-2024-38538, but it requires the helper function pskb_may_pull_reason which is defined in the 1st patch. Backport both together.
Eric Dumazet (1): net: add pskb_may_pull_reason() helper
Nikolay Aleksandrov (1): net: bridge: xmit: make sure we have at least eth header len bytes
include/linux/skbuff.h | 19 +++++++++++++++---- net/bridge/br_device.c | 6 ++++++ 2 files changed, 21 insertions(+), 4 deletions(-)
From: Eric Dumazet edumazet@google.com
[ Upstream commit 1fb2d41501f38192d8a19da585cd441cf8845697 ]
pskb_may_pull() can fail for two different reasons.
Provide pskb_may_pull_reason() helper to distinguish between these reasons.
It returns:
SKB_NOT_DROPPED_YET : Success SKB_DROP_REASON_PKT_TOO_SMALL : packet too small SKB_DROP_REASON_NOMEM : skb->head could not be resized
Signed-off-by: Eric Dumazet edumazet@google.com Reviewed-by: David Ahern dsahern@kernel.org Signed-off-by: Jakub Kicinski kuba@kernel.org Stable-dep-of: 8bd67ebb50c0 ("net: bridge: xmit: make sure we have at least eth header len bytes") Signed-off-by: Sasha Levin sashal@kernel.org [Sherry: bp to 5.15.y. Minor conflicts due to missing commit d427c8999b07 ("net-next: skbuff: refactor pskb_pull") which is not necessary in 5.15.y. Ignore context change. Signed-off-by: Sherry Yang sherry.yang@oracle.com --- include/linux/skbuff.h | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index b230c422dc3b..f92e8fe4f5eb 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -2465,13 +2465,24 @@ static inline void *pskb_pull(struct sk_buff *skb, unsigned int len) return unlikely(len > skb->len) ? NULL : __pskb_pull(skb, len); }
-static inline bool pskb_may_pull(struct sk_buff *skb, unsigned int len) +static inline enum skb_drop_reason +pskb_may_pull_reason(struct sk_buff *skb, unsigned int len) { if (likely(len <= skb_headlen(skb))) - return true; + return SKB_NOT_DROPPED_YET; + if (unlikely(len > skb->len)) - return false; - return __pskb_pull_tail(skb, len - skb_headlen(skb)) != NULL; + return SKB_DROP_REASON_PKT_TOO_SMALL; + + if (unlikely(!__pskb_pull_tail(skb, len - skb_headlen(skb)))) + return SKB_DROP_REASON_NOMEM; + + return SKB_NOT_DROPPED_YET; +} + +static inline bool pskb_may_pull(struct sk_buff *skb, unsigned int len) +{ + return pskb_may_pull_reason(skb, len) == SKB_NOT_DROPPED_YET; }
void skb_condense(struct sk_buff *skb);
On Fri, Oct 04, 2024 at 10:03:27AM -0700, Sherry Yang wrote:
From: Eric Dumazet edumazet@google.com
[ Upstream commit 1fb2d41501f38192d8a19da585cd441cf8845697 ]
pskb_may_pull() can fail for two different reasons.
Provide pskb_may_pull_reason() helper to distinguish between these reasons.
It returns:
SKB_NOT_DROPPED_YET : Success SKB_DROP_REASON_PKT_TOO_SMALL : packet too small SKB_DROP_REASON_NOMEM : skb->head could not be resized
Signed-off-by: Eric Dumazet edumazet@google.com Reviewed-by: David Ahern dsahern@kernel.org Signed-off-by: Jakub Kicinski kuba@kernel.org Stable-dep-of: 8bd67ebb50c0 ("net: bridge: xmit: make sure we have at least eth header len bytes") Signed-off-by: Sasha Levin sashal@kernel.org [Sherry: bp to 5.15.y. Minor conflicts due to missing commit d427c8999b07 ("net-next: skbuff: refactor pskb_pull") which is not necessary in 5.15.y. Ignore context change. Signed-off-by: Sherry Yang sherry.yang@oracle.com
include/linux/skbuff.h | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index b230c422dc3b..f92e8fe4f5eb 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -2465,13 +2465,24 @@ static inline void *pskb_pull(struct sk_buff *skb, unsigned int len) return unlikely(len > skb->len) ? NULL : __pskb_pull(skb, len); } -static inline bool pskb_may_pull(struct sk_buff *skb, unsigned int len) +static inline enum skb_drop_reason +pskb_may_pull_reason(struct sk_buff *skb, unsigned int len) { if (likely(len <= skb_headlen(skb)))
return true;
return SKB_NOT_DROPPED_YET;- if (unlikely(len > skb->len))
return false;- return __pskb_pull_tail(skb, len - skb_headlen(skb)) != NULL;
return SKB_DROP_REASON_PKT_TOO_SMALL;- if (unlikely(!__pskb_pull_tail(skb, len - skb_headlen(skb))))
return SKB_DROP_REASON_NOMEM;- return SKB_NOT_DROPPED_YET;
+}
+static inline bool pskb_may_pull(struct sk_buff *skb, unsigned int len) +{
- return pskb_may_pull_reason(skb, len) == SKB_NOT_DROPPED_YET;
} void skb_condense(struct sk_buff *skb); -- 2.46.0
Any specific reason why you didn't test build this patch?
It breaks the build into thousands of tiny pieces.
greg k-h
Hi Greg,
On Oct 8, 2024, at 3:36 AM, Greg KH gregkh@linuxfoundation.org wrote:
On Fri, Oct 04, 2024 at 10:03:27AM -0700, Sherry Yang wrote:
From: Eric Dumazet edumazet@google.com
[ Upstream commit 1fb2d41501f38192d8a19da585cd441cf8845697 ]
pskb_may_pull() can fail for two different reasons.
Provide pskb_may_pull_reason() helper to distinguish between these reasons.
It returns:
SKB_NOT_DROPPED_YET : Success SKB_DROP_REASON_PKT_TOO_SMALL : packet too small SKB_DROP_REASON_NOMEM : skb->head could not be resized
Signed-off-by: Eric Dumazet edumazet@google.com Reviewed-by: David Ahern dsahern@kernel.org Signed-off-by: Jakub Kicinski kuba@kernel.org Stable-dep-of: 8bd67ebb50c0 ("net: bridge: xmit: make sure we have at least eth header len bytes") Signed-off-by: Sasha Levin sashal@kernel.org [Sherry: bp to 5.15.y. Minor conflicts due to missing commit d427c8999b07 ("net-next: skbuff: refactor pskb_pull") which is not necessary in 5.15.y. Ignore context change. Signed-off-by: Sherry Yang sherry.yang@oracle.com
include/linux/skbuff.h | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index b230c422dc3b..f92e8fe4f5eb 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -2465,13 +2465,24 @@ static inline void *pskb_pull(struct sk_buff *skb, unsigned int len) return unlikely(len > skb->len) ? NULL : __pskb_pull(skb, len); }
-static inline bool pskb_may_pull(struct sk_buff *skb, unsigned int len) +static inline enum skb_drop_reason +pskb_may_pull_reason(struct sk_buff *skb, unsigned int len) { if (likely(len <= skb_headlen(skb)))
- return true;
- return SKB_NOT_DROPPED_YET;
if (unlikely(len > skb->len))
- return false;
- return __pskb_pull_tail(skb, len - skb_headlen(skb)) != NULL;
- return SKB_DROP_REASON_PKT_TOO_SMALL;
- if (unlikely(!__pskb_pull_tail(skb, len - skb_headlen(skb))))
- return SKB_DROP_REASON_NOMEM;
- return SKB_NOT_DROPPED_YET;
+}
+static inline bool pskb_may_pull(struct sk_buff *skb, unsigned int len) +{
- return pskb_may_pull_reason(skb, len) == SKB_NOT_DROPPED_YET;
}
void skb_condense(struct sk_buff *skb);
2.46.0
Any specific reason why you didn't test build this patch?
It breaks the build into thousands of tiny pieces.
Sorry about the build failure. We have a branch which was forked from 5.15.y, and I did build and some smoke tests there. The build and smoke tests passed on our branch. However, I didn’t notice our branch backported prerequisite commits which made it diverge from linux-stable 5.15.y. I will apply the patch to upstream/linux-stable and build there before I send patch to upstream/linux-stable next time.
Sorry about the inconvenience.
Sherry
greg k-h
From: Nikolay Aleksandrov razor@blackwall.org
[ Upstream commit 8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc ]
syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull that amount instead of assuming.
Tested with dropwatch: drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) origin: software timestamp: Mon May 13 11:31:53 2024 778214037 nsec protocol: 0x88a8 length: 2 original length: 2 drop reason: PKT_TOO_SMALL
[1] BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] __bpf_tx_skb net/core/filter.c:2136 [inline] __bpf_redirect_common net/core/filter.c:2180 [inline] __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187 ____bpf_clone_redirect net/core/filter.c:2460 [inline] bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+a63a1f6a062033cf0f40@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=a63a1f6a062033cf0f40 Signed-off-by: Nikolay Aleksandrov razor@blackwall.org Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org [Sherry: bp to 5.15.y. This is to fix CVE-2024-38538] Signed-off-by: Sherry Yang sherry.yang@oracle.com --- net/bridge/br_device.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c index 8d6bab244c4a..89ca2169ea43 100644 --- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c @@ -27,6 +27,7 @@ EXPORT_SYMBOL_GPL(nf_br_ops); /* net device transmit always called with BH disabled */ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) { + enum skb_drop_reason reason = pskb_may_pull_reason(skb, ETH_HLEN); struct net_bridge_mcast_port *pmctx_null = NULL; struct net_bridge *br = netdev_priv(dev); struct net_bridge_mcast *brmctx = &br->multicast_ctx; @@ -38,6 +39,11 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) const unsigned char *dest; u16 vid = 0;
+ if (unlikely(reason != SKB_NOT_DROPPED_YET)) { + kfree_skb_reason(skb, reason); + return NETDEV_TX_OK; + } + memset(skb->cb, 0, sizeof(struct br_input_skb_cb));
rcu_read_lock();
From: Randy MacLeod Randy.MacLeod@windriver.com
[ Upstream commit 8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc ]
Based on above commit but simplified since pskb_may_pull_reason() does not exist until 6.1.
syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull that amount instead of assuming.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+a63a1f6a062033cf0f40@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=a63a1f6a062033cf0f40 Signed-off-by: Randy MacLeod Randy.MacLeod@windriver.com --- net/bridge/br_device.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c index 8d6bab244c4a..b2fa4ca28102 100644 --- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c @@ -38,6 +38,11 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) const unsigned char *dest; u16 vid = 0;
+ if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) { + kfree_skb(skb); + return NETDEV_TX_OK; + } + memset(skb->cb, 0, sizeof(struct br_input_skb_cb));
rcu_read_lock();
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Randy.MacLeod@windriver.com -
Sherry Yang