| Message ID | 20240924122517.137840-1-massimiliano.pellizzer@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-26641 | expand |
Acked-by: Koichiro Den <koichiro.den at canonical.com> On Tue, Sep 24, 2024 at 02:24:27PM +0200, Massimiliano Pellizzer wrote: > [Impact] > > Ensure that the pskb_inet_may_pull() functions is called to properly > pull the packet data into memory before accessing it. Additionally, the > ipv6h variable, which holds the reference to the inner IPV6 header, is > initialized after this function call to prevent it from pointing to > incorrect memory. > > [Fix] > > Noble: Fixed > Jammy: Fixed > Focal: Backported the fix commit from linux-5.10.y > Bionic: Sent to ESM ML > Xenial: Not affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > The fix for CVE-2024-26641 affects the IPV6 tunnelling subsystem. > An issue with this fix may lead to kernel crashes, particularly during > the reception and processing of IPV6-encapsulated packets. Users may > also notice unexpected behavior, such as packet loss or the mishandling > of fragmented packets, due to improper memory handling during > decapsulation. > > Eric Dumazet (1): > ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() > > net/ipv6/ip6_tunnel.c | 21 ++++++++++++++++++--- > 1 file changed, 18 insertions(+), 3 deletions(-) > > -- > 2.43.0 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 24/09/2024 14:24, Massimiliano Pellizzer wrote: > [Impact] > > Ensure that the pskb_inet_may_pull() functions is called to properly > pull the packet data into memory before accessing it. Additionally, the > ipv6h variable, which holds the reference to the inner IPV6 header, is > initialized after this function call to prevent it from pointing to > incorrect memory. > > [Fix] > > Noble: Fixed > Jammy: Fixed > Focal: Backported the fix commit from linux-5.10.y > Bionic: Sent to ESM ML > Xenial: Not affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > The fix for CVE-2024-26641 affects the IPV6 tunnelling subsystem. > An issue with this fix may lead to kernel crashes, particularly during > the reception and processing of IPV6-encapsulated packets. Users may > also notice unexpected behavior, such as packet loss or the mishandling > of fragmented packets, due to improper memory handling during > decapsulation. > > Eric Dumazet (1): > ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() > > net/ipv6/ip6_tunnel.c | 21 ++++++++++++++++++--- > 1 file changed, 18 insertions(+), 3 deletions(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 24.09.24 14:24, Massimiliano Pellizzer wrote: > [Impact] > > Ensure that the pskb_inet_may_pull() functions is called to properly > pull the packet data into memory before accessing it. Additionally, the > ipv6h variable, which holds the reference to the inner IPV6 header, is > initialized after this function call to prevent it from pointing to > incorrect memory. > > [Fix] > > Noble: Fixed > Jammy: Fixed > Focal: Backported the fix commit from linux-5.10.y > Bionic: Sent to ESM ML > Xenial: Not affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > The fix for CVE-2024-26641 affects the IPV6 tunnelling subsystem. > An issue with this fix may lead to kernel crashes, particularly during > the reception and processing of IPV6-encapsulated packets. Users may > also notice unexpected behavior, such as packet loss or the mishandling > of fragmented packets, due to improper memory handling during > decapsulation. > > Eric Dumazet (1): > ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() > > net/ipv6/ip6_tunnel.c | 21 ++++++++++++++++++--- > 1 file changed, 18 insertions(+), 3 deletions(-) > Applied to focal:linux/master-next. Thanks. -Stefan