{
  "threat_severity" : "Low",
  "public_date" : "2024-04-17T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: geneve: make sure to pull inner header in geneve_rx()",
    "id" : "2275737",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2275737"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ngeneve: make sure to pull inner header in geneve_rx()\nsyzbot triggered a bug in geneve_rx() [1]\nIssue is similar to the one I fixed in commit 8d975c15c0cd\n(\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\")\nWe have to save skb->network_header in a temporary variable\nin order to be able to recompute the network_header pointer\nafter a pskb_inet_may_pull() call.\npskb_inet_may_pull() makes sure the needed headers are in skb->head.\n[1]\nBUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\nBUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]\nBUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\nIP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\ngeneve_rx drivers/net/geneve.c:279 [inline]\ngeneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\nudp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108\nudp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186\nudp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346\n__udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422\nudp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604\nip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205\nip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233\nNF_HOOK include/linux/netfilter.h:314 [inline]\nip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\ndst_input include/net/dst.h:461 [inline]\nip_rcv_finish net/ipv4/ip_input.c:449 [inline]\nNF_HOOK include/linux/netfilter.h:314 [inline]\nip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569\n__netif_receive_skb_one_core net/core/dev.c:5534 [inline]\n__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648\nprocess_backlog+0x480/0x8b0 net/core/dev.c:5976\n__napi_poll+0xe3/0x980 net/core/dev.c:6576\nnapi_poll net/core/dev.c:6645 [inline]\nnet_rx_action+0x8b8/0x1870 net/core/dev.c:6778\n__do_softirq+0x1b7/0x7c5 kernel/softirq.c:553\ndo_softirq+0x9a/0xf0 kernel/softirq.c:454\n__local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381\nlocal_bh_enable include/linux/bottom_half.h:33 [inline]\nrcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]\n__dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378\ndev_queue_xmit include/linux/netdevice.h:3171 [inline]\npacket_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3081 [inline]\npacket_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n__sys_sendto+0x735/0xa10 net/socket.c:2191\n__do_sys_sendto net/socket.c:2203 [inline]\n__se_sys_sendto net/socket.c:2199 [inline]\n__x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nUninit was created at:\nslab_post_alloc_hook mm/slub.c:3819 [inline]\nslab_alloc_node mm/slub.c:3860 [inline]\nkmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903\nkmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n__alloc_skb+0x352/0x790 net/core/skbuff.c:651\nalloc_skb include/linux/skbuff.h:1296 [inline]\nalloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394\nsock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783\npacket_alloc_skb net/packet/af_packet.c:2930 [inline]\npacket_snd net/packet/af_packet.c:3024 [inline]\npacket_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n__sys_sendto+0x735/0xa10 net/socket.c:2191\n__do_sys_sendto net/socket.c:2203 [inline]\n__se_sys_sendto net/socket.c:2199 [inline]\n__x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26857\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26857\nhttps://lore.kernel.org/linux-cve-announce/2024041724-CVE-2024-26857-75ac@gregkh/T" ],
  "name" : "CVE-2024-26857",
  "csaw" : false
}