CVE-2024-35973 in Linux
Summary
by MITRE • 05/20/2024
In the Linux kernel, the following vulnerability has been resolved:
geneve: fix header validation in geneve[6]_xmit_skb
syzbot is able to trigger an uninit-value in geneve_xmit() [1]
Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield()) uses skb_protocol(skb, true), pskb_inet_may_pull() is only using skb->protocol.
If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol, pskb_inet_may_pull() does nothing at all.
If a vlan tag was provided by the caller (af_packet in the syzbot case), the network header might not point to the correct location, and skb linear part could be smaller than expected.
Add skb_vlan_inet_prepare() to perform a complete mac validation.
Use this in geneve for the moment, I suspect we need to adopt this more broadly.
v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest - Only call __vlan_get_protocol() for vlan types.
v2,v3 - Addressed Sabrina comments on v1 and v2
[1]
BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]
BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 geneve_xmit_skb drivers/net/geneve.c:910 [inline]
geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
netdev_start_xmit include/linux/netdevice.h:4917 [inline]
xmit_one net/core/dev.c:3531 [inline]
dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline]
packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline]
alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 packet_alloc_skb net/packet/af_packet.c:2930 [inline]
packet_snd net/packet/af_packet.c:3024 [inline]
packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75
CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/30/2024
The vulnerability identified as CVE-2024-35973 affects the Linux kernel's Geneve tunneling implementation, specifically within the geneve_xmit_skb function. This issue stems from inadequate header validation during packet transmission, creating a potential for uninitialized memory access that could lead to system instability or exploitation. The problem manifests when processing packets through the Geneve tunneling mechanism, where the kernel fails to properly validate network headers, particularly in scenarios involving VLAN tags and packet construction.
The technical root cause lies in the inconsistent handling of protocol validation between different kernel functions. While most IP tunnel helpers utilize skb_protocol(skb, true) for comprehensive protocol detection, the pskb_inet_may_pull() function only examines skb->protocol directly. This discrepancy becomes problematic when non-standard protocol types are encountered, as pskb_inet_may_pull() performs no validation and returns immediately. In the syzbot-triggered scenario, when af_packet provides VLAN tags, the network header may not point to the correct location, resulting in a smaller linear part of the skb than expected. This condition creates an uninitialized memory access pattern that KMSAN (Kernel Memory Sanitizer) detects as a critical issue.
The vulnerability demonstrates a classic uninitialized memory access pattern that aligns with CWE-457: Use of Uninitialized Variable, and could potentially be leveraged for privilege escalation or denial of service attacks under specific conditions. The attack vector involves sending crafted packets through the Geneve tunneling interface, which triggers the uninitialized memory read during packet transmission. This type of vulnerability is particularly concerning in network-facing kernel components as it could be exploited by remote attackers to cause system crashes or potentially gain elevated privileges.
The fix implemented addresses the core issue by introducing a new skb_vlan_inet_prepare() function that performs complete MAC validation before packet processing. This approach ensures proper header validation regardless of VLAN tagging or packet construction methods used by the calling interface. The solution specifically targets the Geneve implementation but acknowledges the broader need for adopting this validation approach across other network components. The fix also addresses a regression identified in the l2_tos_ttl_inherit.sh selftest, ensuring that __vlan_get_protocol() is only called for actual VLAN types rather than all packet types, maintaining compatibility with existing functionality while providing the necessary validation.
The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential security risk in environments where Geneve tunneling is actively used for network virtualization or container networking. The vulnerability affects systems running Linux kernel versions that include the Geneve tunneling implementation, particularly those utilizing the af_packet interface for packet capture and injection. Organizations using virtualized environments, container orchestration platforms, or network virtualization technologies should assess their exposure to this vulnerability, as it could potentially be exploited to disrupt network services or compromise system integrity.
Mitigation strategies should include applying the kernel patch that implements the skb_vlan_inet_prepare() validation mechanism, ensuring that all systems running affected kernel versions receive the necessary updates. Network administrators should also monitor for any unusual packet transmission patterns or system instability that might indicate exploitation attempts. The fix demonstrates the importance of consistent protocol validation across kernel network subsystems and highlights the need for comprehensive testing of network interfaces under various packet construction scenarios. This vulnerability underscores the critical nature of kernel memory safety and the potential consequences of inadequate input validation in core network components.