[SRU,J/F,v3,0/1] CVE-2024-36901

Message ID	20240711214642.133844-1-vinicius.peixoto@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Vinicius Peixoto <vinicius.peixoto@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][J/F][PATCH v3 0/1] CVE-2024-36901 Date: Thu, 11 Jul 2024 18:46:41 -0300 Message-ID: <20240711214642.133844-1-vinicius.peixoto@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2024-36901 \| expand [SRU,J/F,v3,0/1] CVE-2024-36901 [SRU,J/F,v3,1/1] ipv6: prevent NULL dereference in ip6_output()

Message ID

20240711214642.133844-1-vinicius.peixoto@canonical.com

Headers

From: Vinicius Peixoto <vinicius.peixoto@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][J/F][PATCH v3 0/1] CVE-2024-36901
Date: Thu, 11 Jul 2024 18:46:41 -0300
Message-ID: <20240711214642.133844-1-vinicius.peixoto@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2024-36901 | expand

Message

Vinicius Peixoto July 11, 2024, 9:46 p.m. UTC

[Impact]
According to syzbot, there is a chance that ip6_dst_idev()
returns NULL in ip6_output(). Most places in IPv6 stack
deal with a NULL idev just fine, but not here.

[Backport]
Due to the lack of upstream commits 

5e187189ec324f78035d33a4bc123a9c4ca6f3e3 ("net: ip: add skb drop reasons for ip egress path")
d289ab65b89c1d4d88417cb6c03e923f21f95fae ("ipv6: annotate data-races around cnf.disable_ipv6") 

Jammy, Focal, Bionic and Xenial had a context conflict.
Xenial is also missing the following commits:

97a7a37a7b7bf3dd16f6fa13cfd7ffacd01a352f ("ipv6: Initial skb->dev and skb->protocol in ip6_output").
28f8bfd1ac948403ebd5c8070ae1e25421560059 ("netfilter: Support iif matches in POSTROUTING")

However, none of them directly impact the fix or the issue, so a manual
backport is appropriate here.

[Test]
Boot tested.

[Where problems could occur]
Any issues here would directly impact IPv6 networking.

[Other info]

v1 -> v2:
- Fix cover letter email subject

v2 -> v3:
- Remove unnecessary READ_ONCE annotation coming from upstream commit
  d289ab65b89c1d ("ipv6: annotate data-races around cnf.disable_ipv6")
- Add more detailed description of missing upstream commits
- Fix placement of CVE number in commit messages
- Run boot tests

Eric Dumazet (1):
  ipv6: prevent NULL dereference in ip6_output()

 net/ipv6/ip6_output.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Manuel Diewald July 12, 2024, 7:55 a.m. UTC | #1

On Thu, Jul 11, 2024 at 06:46:41PM -0300, Vinicius Peixoto wrote:
> [Impact]
> According to syzbot, there is a chance that ip6_dst_idev()
> returns NULL in ip6_output(). Most places in IPv6 stack
> deal with a NULL idev just fine, but not here.
> 
> [Backport]
> Due to the lack of upstream commits 
> 
> 5e187189ec324f78035d33a4bc123a9c4ca6f3e3 ("net: ip: add skb drop reasons for ip egress path")
> d289ab65b89c1d4d88417cb6c03e923f21f95fae ("ipv6: annotate data-races around cnf.disable_ipv6") 
> 
> Jammy, Focal, Bionic and Xenial had a context conflict.
> Xenial is also missing the following commits:
> 
> 97a7a37a7b7bf3dd16f6fa13cfd7ffacd01a352f ("ipv6: Initial skb->dev and skb->protocol in ip6_output").
> 28f8bfd1ac948403ebd5c8070ae1e25421560059 ("netfilter: Support iif matches in POSTROUTING")
> 
> However, none of them directly impact the fix or the issue, so a manual
> backport is appropriate here.
> 
> [Test]
> Boot tested.
> 
> [Where problems could occur]
> Any issues here would directly impact IPv6 networking.
> 
> [Other info]
> 
> v1 -> v2:
> - Fix cover letter email subject
> 
> v2 -> v3:
> - Remove unnecessary READ_ONCE annotation coming from upstream commit
>   d289ab65b89c1d ("ipv6: annotate data-races around cnf.disable_ipv6")
> - Add more detailed description of missing upstream commits
> - Fix placement of CVE number in commit messages
> - Run boot tests
> 
> Eric Dumazet (1):
>   ipv6: prevent NULL dereference in ip6_output()
> 
>  net/ipv6/ip6_output.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> -- 
> 2.43.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Manuel Diewald <manuel.diewald@canonical.com>

Chris Chiu July 12, 2024, 8:25 a.m. UTC | #2

On Fri, Jul 12, 2024 at 5:47 AM Vinicius Peixoto
<vinicius.peixoto@canonical.com> wrote:
>
> [Impact]
> According to syzbot, there is a chance that ip6_dst_idev()
> returns NULL in ip6_output(). Most places in IPv6 stack
> deal with a NULL idev just fine, but not here.
>
> [Backport]
> Due to the lack of upstream commits
>
> 5e187189ec324f78035d33a4bc123a9c4ca6f3e3 ("net: ip: add skb drop reasons for ip egress path")
> d289ab65b89c1d4d88417cb6c03e923f21f95fae ("ipv6: annotate data-races around cnf.disable_ipv6")
>
> Jammy, Focal, Bionic and Xenial had a context conflict.
> Xenial is also missing the following commits:
>
> 97a7a37a7b7bf3dd16f6fa13cfd7ffacd01a352f ("ipv6: Initial skb->dev and skb->protocol in ip6_output").
> 28f8bfd1ac948403ebd5c8070ae1e25421560059 ("netfilter: Support iif matches in POSTROUTING")
>
> However, none of them directly impact the fix or the issue, so a manual
> backport is appropriate here.
>
> [Test]
> Boot tested.
>
> [Where problems could occur]
> Any issues here would directly impact IPv6 networking.
>
> [Other info]
>
> v1 -> v2:
> - Fix cover letter email subject
>
> v2 -> v3:
> - Remove unnecessary READ_ONCE annotation coming from upstream commit
>   d289ab65b89c1d ("ipv6: annotate data-races around cnf.disable_ipv6")
> - Add more detailed description of missing upstream commits
> - Fix placement of CVE number in commit messages
> - Run boot tests
>
> Eric Dumazet (1):
>   ipv6: prevent NULL dereference in ip6_output()
>
>  net/ipv6/ip6_output.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Chris Chiu <chris.chiu@canonical.com>

Stefan Bader July 19, 2024, 9:09 a.m. UTC | #3

On 11.07.24 23:46, Vinicius Peixoto wrote:
> [Impact]
> According to syzbot, there is a chance that ip6_dst_idev()
> returns NULL in ip6_output(). Most places in IPv6 stack
> deal with a NULL idev just fine, but not here.
> 
> [Backport]
> Due to the lack of upstream commits
> 
> 5e187189ec324f78035d33a4bc123a9c4ca6f3e3 ("net: ip: add skb drop reasons for ip egress path")
> d289ab65b89c1d4d88417cb6c03e923f21f95fae ("ipv6: annotate data-races around cnf.disable_ipv6")
> 
> Jammy, Focal, Bionic and Xenial had a context conflict.
> Xenial is also missing the following commits:
> 
> 97a7a37a7b7bf3dd16f6fa13cfd7ffacd01a352f ("ipv6: Initial skb->dev and skb->protocol in ip6_output").
> 28f8bfd1ac948403ebd5c8070ae1e25421560059 ("netfilter: Support iif matches in POSTROUTING")
> 
> However, none of them directly impact the fix or the issue, so a manual
> backport is appropriate here.
> 
> [Test]
> Boot tested.
> 
> [Where problems could occur]
> Any issues here would directly impact IPv6 networking.
> 
> [Other info]
> 
> v1 -> v2:
> - Fix cover letter email subject
> 
> v2 -> v3:
> - Remove unnecessary READ_ONCE annotation coming from upstream commit
>    d289ab65b89c1d ("ipv6: annotate data-races around cnf.disable_ipv6")
> - Add more detailed description of missing upstream commits
> - Fix placement of CVE number in commit messages
> - Run boot tests
> 
> Eric Dumazet (1):
>    ipv6: prevent NULL dereference in ip6_output()
> 
>   net/ipv6/ip6_output.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 

Applied to jammy,focal:linux/master-next. Thanks.

-Stefan