Rapid7 Vulnerability & Exploit Database

Ubuntu: (Multiple Advisories) (CVE-2024-26804): Linux kernel vulnerabilities

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

Ubuntu: (Multiple Advisories) (CVE-2024-26804): Linux kernel vulnerabilities

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
04/04/2024
Created
07/02/2024
Added
07/01/2024
Modified
07/29/2024

Description

In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: prevent perpetual headroom growth syzkaller triggered following kasan splat: BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191 [..] kasan_report+0xda/0x110 mm/kasan/report.c:588 __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline] ___skb_get_hash net/core/flow_dissector.c:1791 [inline] __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856 skb_get_hash include/linux/skbuff.h:1556 [inline] ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748 ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592 ... ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 .. iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831 ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 ... The splat occurs because skb->data points past skb->head allocated area. This is because neigh layer does: __skb_pull(skb, skb_network_offset(skb)); ... but skb_network_offset() returns a negative offset and __skb_pull() arg is unsigned. IOW, we skb->data gets "adjusted" by a huge value. The negative value is returned because skb->head and skb->data distance is more than 64k and skb->network_header (u16) has wrapped around. The bug is in the ip_tunnel infrastructure, which can cause dev->needed_headroom to increment ad infinitum. The syzkaller reproducer consists of packets getting routed via a gre tunnel, and route of gre encapsulated packets pointing at another (ipip) tunnel. The ipip encapsulation finds gre0 as next output device. This results in the following pattern: 1). First packet is to be sent out via gre0. Route lookup found an output device, ipip0. 2). ip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future output device, rt.dev->needed_headroom (ipip0). 3). ip output / start_xmit moves skb on to ipip0. which runs the same code path again (xmit recursion). 4). Routing step for the post-gre0-encap packet finds gre0 as output device to use for ipip0 encapsulated packet. tunl0->needed_headroom is then incremented based on the (already bumped) gre0 device headroom. This repeats for every future packet: gre0->needed_headroom gets inflated because previous packets' ipip0 step incremented rt->dev (gre0) headroom, and ipip0 incremented because gre0 needed_headroom was increased. For each subsequent packet, gre/ipip0->needed_headroom grows until post-expand-head reallocations result in a skb->head/data distance of more than 64k. Once that happens, skb->network_header (u16) wraps around when pskb_expand_head tries to make sure that skb_network_offset() is unchanged after the headroom expansion/reallocation. After this skb_network_offset(skb) returns a different (and negative) result post headroom expansion. The next trip to neigh layer (or anything else that would __skb_pull the network header) makes skb->data point to a memory location outside skb->head area. v2: Cap the needed_headroom update to an arbitarily chosen upperlimit to prevent perpetual increase instead of dropping the headroom increment completely.

Solution(s)

  • ubuntu-upgrade-linux-image-5-15-0-1030-xilinx-zynqmp
  • ubuntu-upgrade-linux-image-5-15-0-1046-gkeop
  • ubuntu-upgrade-linux-image-5-15-0-1056-ibm
  • ubuntu-upgrade-linux-image-5-15-0-1057-ibm
  • ubuntu-upgrade-linux-image-5-15-0-1058-intel-iotg
  • ubuntu-upgrade-linux-image-5-15-0-1058-nvidia
  • ubuntu-upgrade-linux-image-5-15-0-1058-nvidia-lowlatency
  • ubuntu-upgrade-linux-image-5-15-0-1058-raspi
  • ubuntu-upgrade-linux-image-5-15-0-1060-gke
  • ubuntu-upgrade-linux-image-5-15-0-1060-kvm
  • ubuntu-upgrade-linux-image-5-15-0-1061-oracle
  • ubuntu-upgrade-linux-image-5-15-0-1062-gcp
  • ubuntu-upgrade-linux-image-5-15-0-1063-aws
  • ubuntu-upgrade-linux-image-5-15-0-1065-azure-fde
  • ubuntu-upgrade-linux-image-5-15-0-1066-azure
  • ubuntu-upgrade-linux-image-5-15-0-110-lowlatency
  • ubuntu-upgrade-linux-image-5-15-0-110-lowlatency-64k
  • ubuntu-upgrade-linux-image-5-15-0-112-generic
  • ubuntu-upgrade-linux-image-5-15-0-112-generic-64k
  • ubuntu-upgrade-linux-image-5-15-0-112-generic-lpae
  • ubuntu-upgrade-linux-image-5-15-0-113-generic
  • ubuntu-upgrade-linux-image-5-15-0-113-generic-64k
  • ubuntu-upgrade-linux-image-5-15-0-113-generic-lpae
  • ubuntu-upgrade-linux-image-5-4-0-1045-xilinx-zynqmp
  • ubuntu-upgrade-linux-image-5-4-0-1073-ibm
  • ubuntu-upgrade-linux-image-5-4-0-1093-gkeop
  • ubuntu-upgrade-linux-image-5-4-0-1110-raspi
  • ubuntu-upgrade-linux-image-5-4-0-1114-kvm
  • ubuntu-upgrade-linux-image-5-4-0-1125-oracle
  • ubuntu-upgrade-linux-image-5-4-0-1126-aws
  • ubuntu-upgrade-linux-image-5-4-0-1130-gcp
  • ubuntu-upgrade-linux-image-5-4-0-1131-azure
  • ubuntu-upgrade-linux-image-5-4-0-186-generic
  • ubuntu-upgrade-linux-image-5-4-0-186-generic-lpae
  • ubuntu-upgrade-linux-image-5-4-0-186-lowlatency
  • ubuntu-upgrade-linux-image-aws
  • ubuntu-upgrade-linux-image-aws-lts-20-04
  • ubuntu-upgrade-linux-image-aws-lts-22-04
  • ubuntu-upgrade-linux-image-azure
  • ubuntu-upgrade-linux-image-azure-fde-lts-22-04
  • ubuntu-upgrade-linux-image-azure-lts-20-04
  • ubuntu-upgrade-linux-image-azure-lts-22-04
  • ubuntu-upgrade-linux-image-gcp
  • ubuntu-upgrade-linux-image-gcp-lts-20-04
  • ubuntu-upgrade-linux-image-gcp-lts-22-04
  • ubuntu-upgrade-linux-image-generic
  • ubuntu-upgrade-linux-image-generic-64k
  • ubuntu-upgrade-linux-image-generic-64k-hwe-20-04
  • ubuntu-upgrade-linux-image-generic-hwe-18-04
  • ubuntu-upgrade-linux-image-generic-hwe-20-04
  • ubuntu-upgrade-linux-image-generic-lpae
  • ubuntu-upgrade-linux-image-generic-lpae-hwe-20-04
  • ubuntu-upgrade-linux-image-gke
  • ubuntu-upgrade-linux-image-gke-5-15
  • ubuntu-upgrade-linux-image-gkeop
  • ubuntu-upgrade-linux-image-gkeop-5-15
  • ubuntu-upgrade-linux-image-gkeop-5-4
  • ubuntu-upgrade-linux-image-ibm
  • ubuntu-upgrade-linux-image-ibm-lts-20-04
  • ubuntu-upgrade-linux-image-intel
  • ubuntu-upgrade-linux-image-intel-iotg
  • ubuntu-upgrade-linux-image-kvm
  • ubuntu-upgrade-linux-image-lowlatency
  • ubuntu-upgrade-linux-image-lowlatency-64k
  • ubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04
  • ubuntu-upgrade-linux-image-lowlatency-hwe-18-04
  • ubuntu-upgrade-linux-image-lowlatency-hwe-20-04
  • ubuntu-upgrade-linux-image-nvidia
  • ubuntu-upgrade-linux-image-nvidia-lowlatency
  • ubuntu-upgrade-linux-image-oem
  • ubuntu-upgrade-linux-image-oem-20-04
  • ubuntu-upgrade-linux-image-oem-20-04b
  • ubuntu-upgrade-linux-image-oem-20-04c
  • ubuntu-upgrade-linux-image-oem-20-04d
  • ubuntu-upgrade-linux-image-oem-osp1
  • ubuntu-upgrade-linux-image-oracle
  • ubuntu-upgrade-linux-image-oracle-lts-20-04
  • ubuntu-upgrade-linux-image-oracle-lts-22-04
  • ubuntu-upgrade-linux-image-raspi
  • ubuntu-upgrade-linux-image-raspi-hwe-18-04
  • ubuntu-upgrade-linux-image-raspi-nolpae
  • ubuntu-upgrade-linux-image-raspi2
  • ubuntu-upgrade-linux-image-snapdragon-hwe-18-04
  • ubuntu-upgrade-linux-image-virtual
  • ubuntu-upgrade-linux-image-virtual-hwe-18-04
  • ubuntu-upgrade-linux-image-virtual-hwe-20-04
  • ubuntu-upgrade-linux-image-xilinx-zynqmp

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;