{
  "threat_severity" : "Moderate",
  "public_date" : "2024-04-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: ip_tunnel: prevent perpetual headroom growth",
    "id" : "2273423",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2273423"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: ip_tunnel: prevent perpetual headroom growth\nsyzkaller triggered following kasan splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nRead of size 1 at addr ffff88812fb4000e by task syz-executor183/5191\n[..]\nkasan_report+0xda/0x110 mm/kasan/report.c:588\n__skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nskb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]\n___skb_get_hash net/core/flow_dissector.c:1791 [inline]\n__skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856\nskb_get_hash include/linux/skbuff.h:1556 [inline]\nip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748\nipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n__dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592\n...\nip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235\nip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n..\niptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\nip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831\nipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n...\nThe splat occurs because skb->data points past skb->head allocated area.\nThis is because neigh layer does:\n__skb_pull(skb, skb_network_offset(skb));\n... but skb_network_offset() returns a negative offset and __skb_pull()\narg is unsigned.  IOW, we skb->data gets \"adjusted\" by a huge value.\nThe negative value is returned because skb->head and skb->data distance is\nmore than 64k and skb->network_header (u16) has wrapped around.\nThe bug is in the ip_tunnel infrastructure, which can cause\ndev->needed_headroom to increment ad infinitum.\nThe syzkaller reproducer consists of packets getting routed via a gre\ntunnel, and route of gre encapsulated packets pointing at another (ipip)\ntunnel.  The ipip encapsulation finds gre0 as next output device.\nThis results in the following pattern:\n1). First packet is to be sent out via gre0.\nRoute lookup found an output device, ipip0.\n2).\nip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future\noutput device, rt.dev->needed_headroom (ipip0).\n3).\nip output / start_xmit moves skb on to ipip0. which runs the same\ncode path again (xmit recursion).\n4).\nRouting step for the post-gre0-encap packet finds gre0 as output device\nto use for ipip0 encapsulated packet.\ntunl0->needed_headroom is then incremented based on the (already bumped)\ngre0 device headroom.\nThis repeats for every future packet:\ngre0->needed_headroom gets inflated because previous packets' ipip0 step\nincremented rt->dev (gre0) headroom, and ipip0 incremented because gre0\nneeded_headroom was increased.\nFor each subsequent packet, gre/ipip0->needed_headroom grows until\npost-expand-head reallocations result in a skb->head/data distance of\nmore than 64k.\nOnce that happens, skb->network_header (u16) wraps around when\npskb_expand_head tries to make sure that skb_network_offset() is unchanged\nafter the headroom expansion/reallocation.\nAfter this skb_network_offset(skb) returns a different (and negative)\nresult post headroom expansion.\nThe next trip to neigh layer (or anything else that would __skb_pull the\nnetwork header) makes skb->data point to a memory location outside\nskb->head area.\nv2: Cap the needed_headroom update to an arbitarily chosen upperlimit to\nprevent perpetual increase instead of dropping the headroom increment\ncompletely.", "A use-after-free flaw was found in the Linux kernel’s ip_tunnel functionality when a user uses the ip_tunnel infrastructure. This flaw allows a local user to crash the system." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-07-08T00:00:00Z",
    "advisory" : "RHSA-2024:4352",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.8.1.rt7.349.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-07-02T00:00:00Z",
    "advisory" : "RHSA-2024:4211",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.8.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2024-07-10T00:00:00Z",
    "advisory" : "RHSA-2024:4447",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.111.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2024-07-10T00:00:00Z",
    "advisory" : "RHSA-2024:4447",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.111.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2024-07-10T00:00:00Z",
    "advisory" : "RHSA-2024:4447",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.111.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-07-23T00:00:00Z",
    "advisory" : "RHSA-2024:4740",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "kernel-0:4.18.0-477.64.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-05-23T00:00:00Z",
    "advisory" : "RHSA-2024:3306",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.18.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-05-23T00:00:00Z",
    "advisory" : "RHSA-2024:3306",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.18.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-05-29T00:00:00Z",
    "advisory" : "RHSA-2024:3461",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.67.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-05-29T00:00:00Z",
    "advisory" : "RHSA-2024:3460",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.67.1.rt14.352.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26804\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26804\nhttps://lore.kernel.org/linux-cve-announce/2024040404-CVE-2024-26804-a6ff@gregkh/T" ],
  "name" : "CVE-2024-26804",
  "csaw" : false
}