APPLIED: [SRU][J/F][PATCH 0/1] CVE-2024-38538

[Roxana Nicolescu]

On 18/09/2024 07:07, Koichiro Den wrote:
> [Impact]
>
> net: bridge: xmit: make sure we have at least eth header len bytes
> syzbot triggered an uninit value error in bridge device's xmit path
> by sending a short (less than ETH_HLEN bytes) skb. To fix it check if
> we can actually pull that amount instead of assuming.
>
> Tested with dropwatch:
>   drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)
>   origin: software
>   timestamp: Mon May 13 11:31:53 2024 778214037 nsec
>   protocol: 0x88a8
>   length: 2
>   original length: 2
>   drop reason: PKT_TOO_SMALL
>
> [Backport]
>
> For Jammy, adjusted context due to missing commits:
> - 7b4858df3bf7 ("skbuff: bridge: Add layer 2 miss indication")
> - 1fb2d41501f3 ("net: add pskb_may_pull_reason() helper")
>
> For Focal, adjusted context due to missing commits:
> - 7b4858df3bf7 ("skbuff: bridge: Add layer 2 miss indication")
> - 1fb2d41501f3 ("net: add pskb_may_pull_reason() helper")
> - c504e5c2f964 ("net: skb: introduce kfree_skb_reason()")
>
> [Fix]
>
> Noble:  fixed via stable
> Jammy:  Backport - adjusted contexts, see [Backport]
> Focal:  Backport - adjusted contexts, see [Backport]
> Bionic: fix sent to esm ML
> Xenial: fix sent to esm ML
> Trusty: won't fix
>
> [Test case]
>
> Compile and boot tested.
> Also stress-tested by the syzbot repro.
>
> [Where problem could occur]
>
> This fix impacts bridge xmit path, an issue with this fix would be
> visible to the user via KMSAN splat if enabled.
>
>
> Nikolay Aleksandrov (1):
>    net: bridge: xmit: make sure we have at least eth header len bytes
>
>   net/bridge/br_device.c | 5 +++++
>   1 file changed, 5 insertions(+)
>
Applied to jammy:linux, focal:linux master-next branches. Thanks!