代码拉取完成,页面将自动刷新
一、漏洞信息
漏洞编号:CVE-2024-43897
漏洞归属组件:kernel
漏洞归属的版本:4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
CVSS V3.0分值:
BaseScore:5.5 Medium
Vector:CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
漏洞简述:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
漏洞公开时间:2024-08-26 19:15:04
漏洞创建时间:2024-08-27 03:31:50
漏洞详情参考链接:
https://nvd.nist.gov/vuln/detail/CVE-2024-43897
漏洞分析指导链接:
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息:
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
openEuler评分:
5.5
Vector:CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响):
1.openEuler-24.03-LTS(6.6.0):受影响
2.openEuler-20.03-LTS-SP4(4.19.90):不受影响
3.openEuler-22.03-LTS-SP1(5.10.0):不受影响
4.openEuler-22.03-LTS-SP3(5.10.0):不受影响
5.openEuler-22.03-LTS-SP4(5.10.0):不受影响
6.master(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响
修复是否涉及abi变化(是/否):
1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.6.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否
FileDragTip