Upstream information
Description
In the Linux kernel, the following vulnerability has been resolved: llc: make llc_ui_sendmsg() more robust against bonding changes syzbot was able to trick llc_ui_sendmsg(), allocating an skb with no headroom, but subsequently trying to push 14 bytes of Ethernet header [1] Like some others, llc_ui_sendmsg() releases the socket lock before calling sock_alloc_send_skb(). Then it acquires it again, but does not redo all the sanity checks that were performed. This fix: - Uses LL_RESERVED_SPACE() to reserve space. - Check all conditions again after socket lock is held again. - Do not account Ethernet header for mtu limitation. [1] skbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0 kernel BUG at net/core/skbuff.c:193 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic net/core/skbuff.c:189 [inline] pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 lr : skb_panic net/core/skbuff.c:189 [inline] lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 sp : ffff800096f97000 x29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000 x26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2 x23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0 x20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce x17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001 x14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400 x8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714 x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089 Call trace: skb_panic net/core/skbuff.c:189 [inline] skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 skb_push+0xf0/0x108 net/core/skbuff.c:2451 eth_header+0x44/0x1f8 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3188 [inline] llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33 llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85 llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline] llc_sap_next_state net/llc/llc_sap.c:182 [inline] llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209 llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270 llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x194/0x274 net/socket.c:767 splice_to_socket+0x7cc/0xd58 fs/splice.c:881 do_splice_from fs/splice.c:933 [inline] direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142 splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088 do_splice_direct+0x20c/0x348 fs/splice.c:1194 do_sendfile+0x4bc/0xc70 fs/read_write.c:1254 __do_sys_sendfile64 fs/read_write.c:1322 [inline] __se_sys_sendfile64 fs/read_write.c:1308 [inline] __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 Code: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)SUSE information
Overall state of this security issue: Pending
This issue is currently rated as having moderate severity.
| SUSE | |
|---|---|
| Base Score | 5.5 |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | High |
| CVSSv3 Version | 3.1 |
Status of this issue by product and package
Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification. The updates are grouped by state of their lifecycle. SUSE product lifecycles are documented on the lifecycle page.
| Product(s) | Source package | State |
|---|---|---|
| Products under general support and receiving all security fixes. | ||
| SUSE Enterprise Storage 7.1 | kernel-default | Affected |
| SUSE Enterprise Storage 7.1 | kernel-source | Affected |
| SUSE Enterprise Storage 7.1 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | kernel-default | Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | kernel-source | Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | kernel-default | Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 12 SP5 | kernel-default | Affected |
| SUSE Linux Enterprise High Performance Computing 12 SP5 | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 12 SP5 | kernel-source-azure | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | kernel-default | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | kernel-source-azure | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | kernel-default | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Micro 5.1 | kernel-default | Affected |
| SUSE Linux Enterprise Micro 5.1 | kernel-rt | Affected |
| SUSE Linux Enterprise Micro 5.1 | kernel-source-rt | Affected |
| SUSE Linux Enterprise Micro 5.2 | kernel-default | Affected |
| SUSE Linux Enterprise Micro 5.2 | kernel-rt | Affected |
| SUSE Linux Enterprise Micro 5.2 | kernel-source-rt | Affected |
| SUSE Linux Enterprise Micro 5.3 | kernel-default | Affected |
| SUSE Linux Enterprise Micro 5.3 | kernel-rt | Affected |
| SUSE Linux Enterprise Micro 5.3 | kernel-source-rt | Affected |
| SUSE Linux Enterprise Micro 5.4 | kernel-default | Affected |
| SUSE Linux Enterprise Micro 5.4 | kernel-rt | Affected |
| SUSE Linux Enterprise Micro 5.4 | kernel-source-rt | Affected |
| SUSE Linux Enterprise Micro 5.5 | kernel-source-rt | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | kernel-default | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | kernel-default | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP5 | kernel-default | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP5 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP6 | kernel-default | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP6 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Public Cloud 15 SP5 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Module for Public Cloud 15 SP6 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Real Time 12 SP5 | kernel-source-rt | Affected |
| SUSE Linux Enterprise Real Time 15 SP3 | kernel-source | Affected |
| SUSE Linux Enterprise Real Time 15 SP3 | kernel-source-rt | Affected |
| SUSE Linux Enterprise Real Time 15 SP5 | kernel-source-rt | Affected |
| SUSE Linux Enterprise Real Time 15 SP6 | kernel-source-rt | Affected |
| SUSE Linux Enterprise Server 12 SP5 | kernel-default | Affected |
| SUSE Linux Enterprise Server 12 SP5 | kernel-source | Affected |
| SUSE Linux Enterprise Server 12 SP5 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Server 15 SP5 | kernel-default | Affected |
| SUSE Linux Enterprise Server 15 SP5 | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 SP5 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Server 15 SP6 | kernel-default | Affected |
| SUSE Linux Enterprise Server 15 SP6 | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 SP6 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | kernel-default | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | kernel-source | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | kernel-default | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | kernel-source | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | kernel-default | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | kernel-source | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | kernel-source-azure | Affected |
| SUSE Manager Proxy 4.3 | kernel-default | Affected |
| SUSE Manager Proxy 4.3 | kernel-source | Affected |
| SUSE Manager Proxy 4.3 | kernel-source-azure | Affected |
| SUSE Manager Retail Branch Server 4.3 | kernel-default | Affected |
| SUSE Manager Retail Branch Server 4.3 | kernel-source | Affected |
| SUSE Manager Retail Branch Server 4.3 | kernel-source-azure | Affected |
| SUSE Manager Server 4.3 | kernel-default | Affected |
| SUSE Manager Server 4.3 | kernel-source | Affected |
| SUSE Manager Server 4.3 | kernel-source-azure | Affected |
| SUSE Real Time Module 15 SP5 | kernel-source-rt | Affected |
| SUSE Real Time Module 15 SP6 | kernel-source-rt | Affected |
| Products under Long Term Service Pack support and receiving important and critical security fixes. | ||
| SUSE Linux Enterprise Desktop 15 SP4 | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | kernel-source-azure | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | kernel-default | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | kernel-source-azure | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | kernel-default | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | kernel-source-azure | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | kernel-default | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | kernel-default | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15-ESPOS | kernel-source | Affected |
| SUSE Linux Enterprise High Performance Computing 15-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP2 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP3 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP4 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP2 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP3 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP4 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Public Cloud 15 SP4 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE | kernel-default | Affected |
| SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 SP2 | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 SP2 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | kernel-default | Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 SP3 | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 SP3 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | kernel-default | Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 SP4 | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 SP4 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | kernel-default | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | kernel-default | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | kernel-source | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | kernel-default | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | kernel-source | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | kernel-default | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | kernel-source | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | kernel-source-azure | Affected |
| SUSE OpenStack Cloud 8 | kernel-source | Affected |
| SUSE OpenStack Cloud 9 | kernel-default | Affected |
| SUSE OpenStack Cloud 9 | kernel-source | Affected |
| Products past their end of life and not receiving proactive updates anymore. | ||
| HPE Helion OpenStack 8 | kernel-source | Affected |
| SUSE CaaS Platform 4.0 | kernel-source | Affected |
| SUSE Enterprise Storage 6 | kernel-source | Affected |
| SUSE Enterprise Storage 7 | kernel-source | Affected |
| SUSE Enterprise Storage 7 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Desktop 12 SP2 | kernel-source | Affected |
| SUSE Linux Enterprise Desktop 12 SP3 | kernel-source | Affected |
| SUSE Linux Enterprise Desktop 12 SP4 | kernel-source | Affected |
| SUSE Linux Enterprise Desktop 15 | kernel-source | Affected |
| SUSE Linux Enterprise Desktop 15 SP1 | kernel-source | Affected |
| SUSE Linux Enterprise Desktop 15 SP2 | kernel-source | Affected |
| SUSE Linux Enterprise Desktop 15 SP3 | kernel-source | Affected |
| SUSE Linux Enterprise Micro 5.0 | kernel-default | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP1 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP1 | kernel-source | Affected |
| SUSE Linux Enterprise Module for Public Cloud 15 SP2 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Module for Public Cloud 15 SP3 | kernel-source-azure | Affected |
| SUSE Linux Enterprise Real Time 15 SP2 | kernel-source | Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | kernel-source | Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | kernel-source-rt | Affected |
| SUSE Linux Enterprise Server 11 SP4 | kernel-source | Affected |
| SUSE Linux Enterprise Server 11 SP4 LTSS | kernel-default | Affected |
| SUSE Linux Enterprise Server 11 SP4 LTSS | kernel-source | Affected |
| SUSE Linux Enterprise Server 11 SP4-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise Server 12 SP2 | kernel-source | Affected |
| SUSE Linux Enterprise Server 12 SP2-BCL | kernel-source | Affected |
| SUSE Linux Enterprise Server 12 SP2-ESPOS | kernel-source | Affected |
| SUSE Linux Enterprise Server 12 SP2-LTSS | kernel-default | Affected |
| SUSE Linux Enterprise Server 12 SP2-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise Server 12 SP3 | kernel-source | Affected |
| SUSE Linux Enterprise Server 12 SP3-BCL | kernel-source | Affected |
| SUSE Linux Enterprise Server 12 SP3-ESPOS | kernel-source | Affected |
| SUSE Linux Enterprise Server 12 SP3-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise Server 12 SP4 | kernel-source | Affected |
| SUSE Linux Enterprise Server 12 SP4-ESPOS | kernel-source | Affected |
| SUSE Linux Enterprise Server 12 SP4-LTSS | kernel-default | Affected |
| SUSE Linux Enterprise Server 12 SP4-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 SP1 | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 SP1-BCL | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | kernel-default | Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | kernel-source | Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | kernel-source | Affected |
| SUSE Linux Enterprise Server 15-LTSS | kernel-default | Affected |
| SUSE Linux Enterprise Server 15-LTSS | kernel-source | Affected |
| SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 | kernel-source | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | kernel-default | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | kernel-source | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | kernel-source | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | kernel-default | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | kernel-source | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 | kernel-source | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | kernel-source | Affected |
| SUSE Manager Proxy 4.0 | kernel-source | Affected |
| SUSE Manager Proxy 4.1 | kernel-source | Affected |
| SUSE Manager Proxy 4.1 | kernel-source-azure | Affected |
| SUSE Manager Proxy 4.2 | kernel-source | Affected |
| SUSE Manager Proxy 4.2 | kernel-source-azure | Affected |
| SUSE Manager Retail Branch Server 4.0 | kernel-source | Affected |
| SUSE Manager Retail Branch Server 4.1 | kernel-source | Affected |
| SUSE Manager Retail Branch Server 4.1 | kernel-source-azure | Affected |
| SUSE Manager Retail Branch Server 4.2 | kernel-source | Affected |
| SUSE Manager Retail Branch Server 4.2 | kernel-source-azure | Affected |
| SUSE Manager Server 4.0 | kernel-source | Affected |
| SUSE Manager Server 4.1 | kernel-source | Affected |
| SUSE Manager Server 4.1 | kernel-source-azure | Affected |
| SUSE Manager Server 4.2 | kernel-source | Affected |
| SUSE Manager Server 4.2 | kernel-source-azure | Affected |
| SUSE OpenStack Cloud 7 | kernel-source | Affected |
| SUSE OpenStack Cloud Crowbar 8 | kernel-source | Affected |
| SUSE OpenStack Cloud Crowbar 9 | kernel-default | Affected |
| SUSE OpenStack Cloud Crowbar 9 | kernel-source | Affected |
| SUSE Real Time Module 15 SP3 | kernel-source-rt | Affected |
| SUSE Real Time Module 15 SP4 | kernel-source-rt | Affected |
SUSE Timeline for this CVE
CVE page created: Mon Mar 18 13:00:17 2024CVE page last modified: Thu Apr 25 21:37:53 2024