From patchwork Tue Sep 24 12:24:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Massimiliano Pellizzer X-Patchwork-Id: 1988910 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XCfGD40LXz1xsn for ; Tue, 24 Sep 2024 22:25:40 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1st4bi-0002sa-EI; Tue, 24 Sep 2024 12:25:30 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1st4bg-0002rm-3J for kernel-team@lists.ubuntu.com; Tue, 24 Sep 2024 12:25:28 +0000 Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 97E923F215 for ; Tue, 24 Sep 2024 12:25:27 +0000 (UTC) Received: by mail-ed1-f71.google.com with SMTP id 4fb4d7f45d1cf-5c2483adeeaso7078153a12.1 for ; Tue, 24 Sep 2024 05:25:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727180727; x=1727785527; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=eJHOA/MJc2pF6dqPTx4YwsKNszYCmQA1WFvv2oInNwk=; b=oeGnksgwi21iNxPvMKzEFbhDgxVyiItoGmYM8xclG5nj9GN/3FQKV1dhHnlSVq4EE7 OYaEELnDlgAWyjBVmzcZjrPgYzgLxKnaPXpsFZ/v+zykelvmzdV6xFWKlo3ZrkgTyI+5 2uaL5ZNV6442ImptZeyaaWjwfJC/a9pu9VW6PcKATCiLzzeKkS3kCSBB+Xe7cxO3pcC3 4JLTfDAUApv49GLU0R6lYOGpHf6dR4Rx97JpLKZGXGDgvb3x82Q/m7vLVe10c74ZtQEP keVvEUfky/I7bCRdXB2O4XP3uwvzozwUdU7vr6i2Pkvz+9tjJCbKXqB/vhhL/zmGYNBa TlXw== X-Gm-Message-State: AOJu0YxH4Y5WGpie8PFqZt9HQ63p5lKcHWkZqyfOSe5cOrJjS0ZMY2+z PK/esOAYRtnqJ08gTYCrMynPKW5V2lkFgJaLXCxKUeJKPnFNXydp7Cd/5Ht1FbER70sh3QkQQAY CzSJIWNmoTm0/wGBGaxIf5ZAEi6HrSiTvBCfh0M4rLsADg4A1HsRiSkrm74OmDQ65bJsqHBSZHH qFDdGOiZf5+w== X-Received: by 2002:a05:6402:13d2:b0:5c4:1c0c:cc6d with SMTP id 4fb4d7f45d1cf-5c5cdf051d2mr3567515a12.0.1727180726995; Tue, 24 Sep 2024 05:25:26 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHyiTeyJuQGazxzNCfXZ/76QyJC1sfZUSlETdruHwNdlf61SGysUSihKxEt3Xt8oYGrNzqUiA== X-Received: by 2002:a05:6402:13d2:b0:5c4:1c0c:cc6d with SMTP id 4fb4d7f45d1cf-5c5cdf051d2mr3567414a12.0.1727180725578; Tue, 24 Sep 2024 05:25:25 -0700 (PDT) Received: from framework-canonical.station (net-93-71-67-9.cust.vodafonedsl.it. [93.71.67.9]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5c5cf4c5069sm684182a12.67.2024.09.24.05.25.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Sep 2024 05:25:25 -0700 (PDT) From: Massimiliano Pellizzer To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 0/1] CVE-2024-26641 Date: Tue, 24 Sep 2024 14:24:27 +0200 Message-ID: <20240924122517.137840-1-massimiliano.pellizzer@canonical.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] Ensure that the pskb_inet_may_pull() functions is called to properly pull the packet data into memory before accessing it. Additionally, the ipv6h variable, which holds the reference to the inner IPV6 header, is initialized after this function call to prevent it from pointing to incorrect memory. [Fix] Noble: Fixed Jammy: Fixed Focal: Backported the fix commit from linux-5.10.y Bionic: Sent to ESM ML Xenial: Not affected [Test Case] Compile and boot tested. [Where problems could occur] The fix for CVE-2024-26641 affects the IPV6 tunnelling subsystem. An issue with this fix may lead to kernel crashes, particularly during the reception and processing of IPV6-encapsulated packets. Users may also notice unexpected behavior, such as packet loss or the mishandling of fragmented packets, due to improper memory handling during decapsulation. Eric Dumazet (1): ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() net/ipv6/ip6_tunnel.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) Acked-by: Koichiro Den Acked-by: Roxana Nicolescu