CVE-2024-35973
Linux Geneve Vlan Protocol Validation Vulnerability
Description
In the Linux kernel, the following vulnerability has been resolved: geneve: fix header validation in geneve[6]_xmit_skb syzbot is able to trigger an uninit-value in geneve_xmit() [1] Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield()) uses skb_protocol(skb, true), pskb_inet_may_pull() is only using skb->protocol. If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol, pskb_inet_may_pull() does nothing at all. If a vlan tag was provided by the caller (af_packet in the syzbot case), the network header might not point to the correct location, and skb linear part could be smaller than expected. Add skb_vlan_inet_prepare() to perform a complete mac validation. Use this in geneve for the moment, I suspect we need to adopt this more broadly. v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest - Only call __vlan_get_protocol() for vlan types. v2,v3 - Addressed Sabrina comments on v1 and v2 [1] BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline] BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 geneve_xmit_skb drivers/net/geneve.c:910 [inline] geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 packet_alloc_skb net/packet/af_packet.c:2930 [inline] packet_snd net/packet/af_packet.c:3024 [inline] packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
INFO
Published Date :
May 20, 2024, 10:15 a.m.
Last Modified :
April 4, 2025, 2:33 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
3.6
Exploitability Score :
1.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-35973.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-35973 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-35973 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Apr. 04, 2025
Action Type Old Value New Value Added CWE CWE-908 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.87 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.28 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.8.7 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.19.191 up to (excluding) 4.19.313 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.4.119 up to (excluding) 5.4.275 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.10.37 up to (excluding) 5.10.216 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11.21 up to (excluding) 5.12 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.12.4 up to (excluding) 5.15.156 Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* Added Reference Type CVE: https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915 Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852 Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79 Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536 Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670 Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef Types: Patch Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Types: Mailing List, Third Party Advisory Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Types: Mailing List, Third Party Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915 Added Reference https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e Added Reference https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852 Added Reference https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79 Added Reference https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536 Added Reference https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670 Added Reference https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c Added Reference https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Nov. 05, 2024
Action Type Old Value New Value Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 29, 2024
Action Type Old Value New Value Added CVSS V3.1 CISA-ADP AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Jun. 27, 2024
Action Type Old Value New Value Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html [No types assigned] -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Jun. 25, 2024
Action Type Old Value New Value Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html [No types assigned] -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 29, 2024
Action Type Old Value New Value -
CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 20, 2024
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: geneve: fix header validation in geneve[6]_xmit_skb syzbot is able to trigger an uninit-value in geneve_xmit() [1] Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield()) uses skb_protocol(skb, true), pskb_inet_may_pull() is only using skb->protocol. If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol, pskb_inet_may_pull() does nothing at all. If a vlan tag was provided by the caller (af_packet in the syzbot case), the network header might not point to the correct location, and skb linear part could be smaller than expected. Add skb_vlan_inet_prepare() to perform a complete mac validation. Use this in geneve for the moment, I suspect we need to adopt this more broadly. v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest - Only call __vlan_get_protocol() for vlan types. v2,v3 - Addressed Sabrina comments on v1 and v2 [1] BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline] BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 geneve_xmit_skb drivers/net/geneve.c:910 [inline] geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 packet_alloc_skb net/packet/af_packet.c:2930 [inline] packet_snd net/packet/af_packet.c:3024 [inline] packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Added Reference kernel.org https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-35973 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-35973
weaknesses.