{
  "threat_severity" : "Low",
  "public_date" : "2024-05-20T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: geneve: fix header validation in geneve[6]_xmit_skb",
    "id" : "2281891",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2281891"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ngeneve: fix header validation in geneve[6]_xmit_skb\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n- Only call __vlan_get_protocol() for vlan types.\nv2,v3 - Addressed Sabrina comments on v1 and v2\n[1]\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\nBUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\ngeneve_xmit_skb drivers/net/geneve.c:910 [inline]\ngeneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n__netdev_start_xmit include/linux/netdevice.h:4903 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4917 [inline]\nxmit_one net/core/dev.c:3531 [inline]\ndev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n__dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\ndev_queue_xmit include/linux/netdevice.h:3091 [inline]\npacket_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3081 [inline]\npacket_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0x30f/0x380 net/socket.c:745\n__sys_sendto+0x685/0x830 net/socket.c:2191\n__do_sys_sendto net/socket.c:2203 [inline]\n__se_sys_sendto net/socket.c:2199 [inline]\n__x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\ndo_syscall_64+0xd5/0x1f0\nentry_SYSCALL_64_after_hwframe+0x6d/0x75\nUninit was created at:\nslab_post_alloc_hook mm/slub.c:3804 [inline]\nslab_alloc_node mm/slub.c:3845 [inline]\nkmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\nkmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n__alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\nalloc_skb include/linux/skbuff.h:1318 [inline]\nalloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\nsock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\npacket_alloc_skb net/packet/af_packet.c:2930 [inline]\npacket_snd net/packet/af_packet.c:3024 [inline]\npacket_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0x30f/0x380 net/socket.c:745\n__sys_sendto+0x685/0x830 net/socket.c:2191\n__do_sys_sendto net/socket.c:2203 [inline]\n__se_sys_sendto net/socket.c:2199 [inline]\n__x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\ndo_syscall_64+0xd5/0x1f0\nentry_SYSCALL_64_after_hwframe+0x6d/0x75\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024", "In the Linux kernel, the following vulnerability has been resolved:\ngeneve: fix header validation in geneve[6]_xmit_skb\nThe Linux kernel CVE team has assigned CVE-2024-35973 to this issue.\nUpstream advisory:\nhttps://lore.kernel.org/linux-cve-announce/2024052024-CVE-2024-35973-1b5b@gregkh/T" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-35973\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35973\nhttps://lore.kernel.org/linux-cve-announce/2024052024-CVE-2024-35973-1b5b@gregkh/T" ],
  "name" : "CVE-2024-35973",
  "csaw" : false
}