ACK: [SRU][X][PATCH v2 00/17] CVE-2024-26921
Stewart Hore
stewart.hore at canonical.com
Fri Feb 21 06:04:03 UTC 2025
On Fri, Nov 29, 2024 at 06:06:07PM +0100, Juerg Haefliger wrote:
> https://ubuntu.com/security/CVE-2024-26921
>
> https://warthogs.atlassian.net/browse/KERNSEC-324
>
> [ Impact ]
>
> Potential use-after-free of skb (socket buffer) fragments that are reassembled
> via netfilter or openvswitch or similar modules.
>
>
> [ Test Case ]
>
> Ran the ip_defrag kernel selftest from 6.10 and verified that no new failures occur.
> In fact, some of the failing tests pass now. Also verified that the (main) modified
> functions are called during the test.
>
>
> [ Where Problems Could Occur ]
>
> Networking, netfilter, openvswitch, IPv4 and IPv6 defragmentation.
>
>
> v1->v2:
> - Drop patch ("UBUNTU: SAUCE: inet: frags: introduce sum_truesize in inet_frag_reasm_finish()")
> and use head->truesize instead of sum_truesize in next commit
> - Backport ("inet: inet_defrag: prevent sk release while still in use") from linux-5.4.y
> - Fix provenance (backported from commit ccfa73daf762f3adac3f6c0e2f09c3c74548775f linux-4.14.y)
> - Include a72a5e2d34ec ("inet: kill unused skb_free op")
> - Cherry-pick ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c") from linux-4.14.y
>
> Daniele Di Proietto (1):
> openvswitch: Fix skb leak in IPv6 reassembly.
>
> Eric Dumazet (1):
> net: add __sock_wfree() helper
>
> Florian Westphal (6):
> netfilter: ipv6: nf_defrag: avoid/free clone operations
> inet: kill unused skb_free op
> netfilter: ipv6: avoid nf_iterate recursion
> netfilter: ipv6: nf_defrag: fix NULL deref panic
> netfilter: ipv6: nf_defrag: drop mangled skb on ream error
> inet: inet_defrag: prevent sk release while still in use
>
> Guillaume Nault (2):
> netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
> netfilter: ipv6: nf_defrag: accept duplicate fragments again
>
> Jiri Wiesner (1):
> ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes
>
> Joe Stringer (1):
> openvswitch: Orphan skbs before IPv6 defrag
>
> Peter Oskolkov (2):
> net: IP defrag: encapsulate rbtree defrag code into callable functions
> net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c
>
> Subash Abhinov Kasiviswanathan (2):
> netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460
> netfilter: ipv6: nf_defrag: Kill frag queue on RFC2460 failure
>
> Yu Zhe (1):
> ipv4: remove unnecessary type castings
>
> include/linux/skbuff.h | 5 +-
> include/net/inet_frag.h | 17 +-
> include/net/netfilter/ipv6/nf_defrag_ipv6.h | 3 +-
> include/net/sock.h | 1 +
> net/core/sock.c | 11 +
> net/core/sock_destructor.h | 12 +
> net/ieee802154/6lowpan/reassembly.c | 1 -
> net/ipv4/fib_frontend.c | 4 +-
> net/ipv4/fib_rules.c | 2 +-
> net/ipv4/fib_trie.c | 2 +-
> net/ipv4/icmp.c | 2 +-
> net/ipv4/igmp.c | 4 +-
> net/ipv4/inet_fragment.c | 347 +++++++++++++++++++-
> net/ipv4/ip_fragment.c | 298 ++---------------
> net/ipv4/ping.c | 2 +-
> net/ipv6/netfilter/nf_conntrack_reasm.c | 329 ++++++-------------
> net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 20 +-
> net/ipv6/reassembly.c | 8 +-
> net/openvswitch/conntrack.c | 27 +-
> 19 files changed, 539 insertions(+), 556 deletions(-)
> create mode 100644 net/core/sock_destructor.h
>
> --
> 2.43.0
Acked-by: Stewart Hore <stewart.hore at canonical.com>
--
kernel-team mailing list
kernel-team at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list