ACK: [SRU][X][PATCH v2 00/17] CVE-2024-26921
Stewart Hore
stewart.hore at canonical.com
Fri Feb 21 06:17:18 UTC 2025
On Fri, Feb 21, 2025 at 05:04:11PM +1100, Stewart Hore wrote:
> On Fri, Nov 29, 2024 at 06:06:07PM +0100, Juerg Haefliger wrote:
> > https://ubuntu.com/security/CVE-2024-26921
> >
> > https://warthogs.atlassian.net/browse/KERNSEC-324
> >
> > [ Impact ]
> >
> > Potential use-after-free of skb (socket buffer) fragments that are reassembled
> > via netfilter or openvswitch or similar modules.
> >
> >
> > [ Test Case ]
> >
> > Ran the ip_defrag kernel selftest from 6.10 and verified that no new failures occur.
> > In fact, some of the failing tests pass now. Also verified that the (main) modified
> > functions are called during the test.
> >
> >
> > [ Where Problems Could Occur ]
> >
> > Networking, netfilter, openvswitch, IPv4 and IPv6 defragmentation.
> >
> >
> > v1->v2:
> > - Drop patch ("UBUNTU: SAUCE: inet: frags: introduce sum_truesize in inet_frag_reasm_finish()")
> > and use head->truesize instead of sum_truesize in next commit
> > - Backport ("inet: inet_defrag: prevent sk release while still in use") from linux-5.4.y
> > - Fix provenance (backported from commit ccfa73daf762f3adac3f6c0e2f09c3c74548775f linux-4.14.y)
> > - Include a72a5e2d34ec ("inet: kill unused skb_free op")
> > - Cherry-pick ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c") from linux-4.14.y
> >
> > Daniele Di Proietto (1):
> > openvswitch: Fix skb leak in IPv6 reassembly.
> >
> > Eric Dumazet (1):
> > net: add __sock_wfree() helper
> >
> > Florian Westphal (6):
> > netfilter: ipv6: nf_defrag: avoid/free clone operations
> > inet: kill unused skb_free op
> > netfilter: ipv6: avoid nf_iterate recursion
> > netfilter: ipv6: nf_defrag: fix NULL deref panic
> > netfilter: ipv6: nf_defrag: drop mangled skb on ream error
> > inet: inet_defrag: prevent sk release while still in use
> >
> > Guillaume Nault (2):
> > netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
> > netfilter: ipv6: nf_defrag: accept duplicate fragments again
> >
> > Jiri Wiesner (1):
> > ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes
> >
> > Joe Stringer (1):
> > openvswitch: Orphan skbs before IPv6 defrag
> >
> > Peter Oskolkov (2):
> > net: IP defrag: encapsulate rbtree defrag code into callable functions
> > net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c
> >
> > Subash Abhinov Kasiviswanathan (2):
> > netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460
> > netfilter: ipv6: nf_defrag: Kill frag queue on RFC2460 failure
> >
> > Yu Zhe (1):
> > ipv4: remove unnecessary type castings
> >
> > include/linux/skbuff.h | 5 +-
> > include/net/inet_frag.h | 17 +-
> > include/net/netfilter/ipv6/nf_defrag_ipv6.h | 3 +-
> > include/net/sock.h | 1 +
> > net/core/sock.c | 11 +
> > net/core/sock_destructor.h | 12 +
> > net/ieee802154/6lowpan/reassembly.c | 1 -
> > net/ipv4/fib_frontend.c | 4 +-
> > net/ipv4/fib_rules.c | 2 +-
> > net/ipv4/fib_trie.c | 2 +-
> > net/ipv4/icmp.c | 2 +-
> > net/ipv4/igmp.c | 4 +-
> > net/ipv4/inet_fragment.c | 347 +++++++++++++++++++-
> > net/ipv4/ip_fragment.c | 298 ++---------------
> > net/ipv4/ping.c | 2 +-
> > net/ipv6/netfilter/nf_conntrack_reasm.c | 329 ++++++-------------
> > net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 20 +-
> > net/ipv6/reassembly.c | 8 +-
> > net/openvswitch/conntrack.c | 27 +-
> > 19 files changed, 539 insertions(+), 556 deletions(-)
> > create mode 100644 net/core/sock_destructor.h
> >
> > --
> > 2.43.0
>
> Acked-by: Stewart Hore <stewart.hore at canonical.com>
>
Sorry I sent this ACK to the incorrect mailing list, please disregard.
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list