CVE-2024-41090 fix for 8_6_lts. #96
Conversation
|
The patch looks fine - here's a document with pointers for testing it. https://ciqinc.atlassian.net/wiki/spaces/ENG/pages/1022820360/Testing https://ciqinc.atlassian.net/wiki/spaces/ENG/pages/574652455/Kernel+Self+Testing |
|
@jallisonciq little tweak needed in commit message this: should be this: which is likely the difference between passing this to ciq-cherry-pick: and this: The reason I know is because I messed this up and caused a whole bunch of trouble for @PlaidCat 🥲 |
|
@jallisonciq Also you've got double "Signed-of-by"s and one of them isn't indented which could get you on an email cc list someday (Just learned that today during maple's kernel cve 101 class) |
OK, I already did the pre install and post install kernel self tests. Looks fine (only changes I could see are things like process numbers, timings etc.). |
Oh ! Thanks so much for that. I'll fix and re-push. |
Will fix and re-push. Thanks ! |
jallisonciq
force-pushed
the
jra_8_6_lts_CVE-2024-41090
branch
from
39b41ec to
eb3236b
Compare
jira VULN-8269 cve CVE-2024-41090 commit-author Si-Wei Liu <si-wei.liu@oracle.com> commit ed7f2af The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090 Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ Fixes: 0efac27 ("tap: accept an array of XDP buffs through sendmsg()") Cc: stable@vger.kernel.org Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com> Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Reviewed-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit ed7f2af) Signed-off-by: Jeremy Allison <jallison@ciq.com>
jallisonciq
force-pushed
the
jra_8_6_lts_CVE-2024-41090
branch
from
eb3236b to
fda0916
Compare
Hi Jeremy, if you could upload the before and after kernel test logs I'll give them a look. Thanks! |
Where should I upload them to ? Do we have an expected site for this ? |
Here - if you edit the description box there is a 'Paste, drop or click to add files' button. You can use that in the description or even the reply here. |
Thanks - I attached the before and after logs. |
Thanks! I've had a look at them.
I ran the following commands to look at the differences between the two test logs. Using this grep command filters out the noise and leaves us with what we're really interested in, which is what tests passed and/or were failed or skipped.
Thanks! |
OK, so to complete I just click on the "Rebase and merge" button, yeah ? Don't want to add a merge commit if that's not how we're doing things. |
I have disabled But it does what we want. |
There's no harm in the rebase to merge except that in my case it will remove my gpg verified signatures. So when I merge I do a local merge -ff to preserve my gpg signatures and then push. Only matters if you want to preserve your gpg verified signatures. |
kernel-selftest-baseline-8.6.log
kernel-selftest-8.6-patched.log
jira VULN-8269
CVE-2024-41090
commit-author Si-Wei Liu si-wei.liu@oracle.com
commit ed7f2af
The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata.
In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted.
This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does.
CVE: CVE-2024-41090
Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ Fixes: 0efac27 ("tap: accept an array of XDP buffs through sendmsg()")
Cc: stable@vger.kernel.org
Signed-off-by: Si-Wei Liu si-wei.liu@oracle.com
Signed-off-by: Dongli Zhang dongli.zhang@oracle.com
Reviewed-by: Willem de Bruijn willemb@google.com
Reviewed-by: Paolo Abeni pabeni@redhat.com
Reviewed-by: Jason Wang jasowang@redhat.com
Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com
Signed-off-by: Jakub Kicinski kuba@kernel.org
(cherry picked from commit ed7f2af)
Signed-off-by: Jeremy Allison jallison@ciq.com