Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for CVE-2024-36971 #8

Open
wants to merge 1 commit into
base: linux-4.14.y
Choose a base branch
from
Open

Fix for CVE-2024-36971 #8

wants to merge 1 commit into from

Conversation

heynemax
Copy link

@heynemax heynemax commented Aug 9, 2024

Backported the fix for CVE-2024-36971 to the 4.14 tree.

@heynemax
net: fix __dst_negative_advice() race
d206c2b 
commit 92f1655aa2b2294d0b49925f3b875a634bd3b59e upstream.

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

Fixes: a87cb3e ("net: Facility to report route quality of connected sockets")
Reported-by: Clement Lecigne <[email protected]>
Diagnosed-by: Clement Lecigne <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Cc: Tom Herbert <[email protected]>
Reviewed-by: David Ahern <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
[mheyne: contextual conflict in ip6_negative_advice due to missing
  commit c3c14da0288d ("net/ipv6: add rcu locking to ip6_negative_advice") and
  commit 93531c674315 ("net/ipv6: separate handling of FIB entries from dst based routes")]
Signed-off-by: Maximilian Heyne <[email protected]>
@heynemax heynemax marked this pull request as ready for review August 9, 2024 10:46
@heynemax heynemax mentioned this pull request Aug 9, 2024
Open
SkewedZeppelin added a commit to Divested-Mobile/Kernel_Patches that referenced this pull request Aug 18, 2024
@SkewedZeppelin
4.14 backport for CVE-2024-36971
7013be0 
thanks to openela/kernel-lts#8

Signed-off-by: Tavi <[email protected]>
@SkewedZeppelin
Copy link

I've been running this for a week now on a Pixel 4 without issue.
Thanks @heynemax

@harshimogalapalli
Copy link

Hi @SkewedZeppelin ,

Did you apply the fix on the OpenELA-4.14.y and then use it in your device ?

We didn't get a chance for including this yet. We will include this soon.

@SkewedZeppelin
Copy link

SkewedZeppelin commented Aug 25, 2024
edited
Loading

@harshimogalapalli
I'm not directly using the OpenELA branches.
I instead use the CIP scripts to pull out CVE patches and a program to automatically apply them to a few dozen (primarily end of life) trees.
eg. https://github.com/Divested-Mobile/DivestOS-Build/blame/master/Scripts/LineageOS-20.0/CVE_Patchers/android_kernel_google_msm-4.14.sh

I only recently learned of OpenELA and imported everything: Divested-Mobile/Kernel_Patches@d3aa61c

although most were already handled since I loosely apply 4.19 patches to 4.14: https://github.com/Divested-Mobile/CVE_Checker?tab=readme-ov-file#patch-version-matrix

@harshimogalapalli
Copy link

Thanks for sharing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@heynemax @SkewedZeppelin @harshimogalapalli