-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for CVE-2024-36971 #8
base: linux-4.14.y
Are you sure you want to change the base?
Conversation
commit 92f1655aa2b2294d0b49925f3b875a634bd3b59e upstream. __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets. Fixes: a87cb3e ("net: Facility to report route quality of connected sockets") Reported-by: Clement Lecigne <[email protected]> Diagnosed-by: Clement Lecigne <[email protected]> Signed-off-by: Eric Dumazet <[email protected]> Cc: Tom Herbert <[email protected]> Reviewed-by: David Ahern <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> [mheyne: contextual conflict in ip6_negative_advice due to missing commit c3c14da0288d ("net/ipv6: add rcu locking to ip6_negative_advice") and commit 93531c674315 ("net/ipv6: separate handling of FIB entries from dst based routes")] Signed-off-by: Maximilian Heyne <[email protected]>
thanks to openela/kernel-lts#8 Signed-off-by: Tavi <[email protected]>
I've been running this for a week now on a Pixel 4 without issue. |
Hi @SkewedZeppelin , Did you apply the fix on the OpenELA-4.14.y and then use it in your device ? We didn't get a chance for including this yet. We will include this soon. |
@harshimogalapalli I only recently learned of OpenELA and imported everything: Divested-Mobile/Kernel_Patches@d3aa61c although most were already handled since I loosely apply 4.19 patches to 4.14: https://github.com/Divested-Mobile/CVE_Checker?tab=readme-ov-file#patch-version-matrix |
Thanks for sharing! |
Backported the fix for CVE-2024-36971 to the 4.14 tree.