[SRU][J/F][PATCH 0/1] CVE-2024-38538
Koichiro Den
koichiro.den at canonical.com
Wed Sep 18 05:07:54 UTC 2024
[Impact]
net: bridge: xmit: make sure we have at least eth header len bytes
syzbot triggered an uninit value error in bridge device's xmit path
by sending a short (less than ETH_HLEN bytes) skb. To fix it check if
we can actually pull that amount instead of assuming.
Tested with dropwatch:
drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)
origin: software
timestamp: Mon May 13 11:31:53 2024 778214037 nsec
protocol: 0x88a8
length: 2
original length: 2
drop reason: PKT_TOO_SMALL
[Backport]
For Jammy, adjusted context due to missing commits:
- 7b4858df3bf7 ("skbuff: bridge: Add layer 2 miss indication")
- 1fb2d41501f3 ("net: add pskb_may_pull_reason() helper")
For Focal, adjusted context due to missing commits:
- 7b4858df3bf7 ("skbuff: bridge: Add layer 2 miss indication")
- 1fb2d41501f3 ("net: add pskb_may_pull_reason() helper")
- c504e5c2f964 ("net: skb: introduce kfree_skb_reason()")
[Fix]
Noble: fixed via stable
Jammy: Backport - adjusted contexts, see [Backport]
Focal: Backport - adjusted contexts, see [Backport]
Bionic: fix sent to esm ML
Xenial: fix sent to esm ML
Trusty: won't fix
[Test case]
Compile and boot tested.
Also stress-tested by the syzbot repro.
[Where problem could occur]
This fix impacts bridge xmit path, an issue with this fix would be
visible to the user via KMSAN splat if enabled.
Nikolay Aleksandrov (1):
net: bridge: xmit: make sure we have at least eth header len bytes
net/bridge/br_device.c | 5 +++++
1 file changed, 5 insertions(+)
--
2.43.0
More information about the kernel-team
mailing list