Description
In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name). In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink(): This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry. vlan is a pointer to the priv data of the link that is being created. When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, ¶ms, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; } and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port. Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source(). </quote valis> With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever "goto destroy_macvlan_port;" path is taken. Many thanks to valis for following up on this issue.
Mitigation
Minimal update. May introduce new vulnerabilities or breaking changes.
|
 debian 11 | | =5.10.103-1 || =5.10.103-1~bpo10+1 || =5.10.106-1 || =5.10.113-1 || =5.10.120-1 || =5.10.120-1~bpo10+1 || =5.10.127-1 || =5.10.127-2 || =5.10.127-2~bpo10+1 || =5.10.136-1 || =5.10.140-1 || =5.10.148-1 || =5.10.149-1 || =5.10.149-2 || =5.10.158-1 || =5.10.158-2 || =5.10.162-1 || =5.10.178-1 || =5.10.178-2 || =5.10.178-3 || =5.10.179-1 || =5.10.179-2 || =5.10.179-3 || =5.10.179-4 || =5.10.179-5 || =5.10.191-1 || =5.10.197-1 || =5.10.205-1 || =5.10.205-2 || =5.10.209-1 || =5.10.209-2 || =5.10.216-1 || =5.10.218-1 || =5.10.221-1 || =5.10.223-1 || =5.10.226-1 || =5.10.234-1 || =5.10.237-1 || =5.10.244-1 || =5.10.247-1 || =5.10.249-1 || =5.10.46-4 || =5.10.46-5 || =5.10.70-1 || =5.10.70-1~bpo10+1 || =5.10.84-1 || =5.10.92-1 || =5.10.92-1~bpo10+1 || =5.10.92-2 || >=0 <5.10.251-1 | 5.10.251-1 |
debian 12 | | =6.1.106-1 || =6.1.106-2 || =6.1.106-3 || =6.1.112-1 || =6.1.115-1 || =6.1.119-1 || =6.1.123-1 || =6.1.124-1 || =6.1.128-1 || =6.1.129-1 || =6.1.133-1 || =6.1.135-1 || =6.1.137-1 || =6.1.139-1 || =6.1.140-1 || =6.1.147-1 || =6.1.148-1 || =6.1.153-1 || =6.1.158-1 || =6.1.159-1 || =6.1.162-1 || =6.1.27-1 || =6.1.37-1 || =6.1.38-1 || =6.1.38-2 || =6.1.38-2~bpo11+1 || =6.1.38-3 || =6.1.38-4 || =6.1.38-4~bpo11+1 || =6.1.52-1 || =6.1.55-1 || =6.1.55-1~bpo11+1 || =6.1.64-1 || =6.1.66-1 || =6.1.67-1 || =6.1.69-1 || =6.1.69-1~bpo11+1 || =6.1.76-1 || =6.1.76-1~bpo11+1 || =6.1.82-1 || =6.1.85-1 || =6.1.90-1 || =6.1.90-1~bpo11+1 || =6.1.94-1 || =6.1.94-1~bpo11+1 || =6.1.98-1 || =6.1.99-1 || >=0 <6.1.164-1 | 6.1.164-1 |
debian 13 | | =6.12.38-1 || =6.12.41-1 || =6.12.43-1 || =6.12.43-1~bpo12+1 || =6.12.48-1 || =6.12.57-1 || =6.12.57-1~bpo12+1 || =6.12.63-1 || =6.12.63-1~bpo12+1 || =6.12.69-1 || =6.12.69-1~bpo12+1 || =6.12.73-1~bpo12+1 || >=0 <6.12.73-1 | 6.12.73-1 |
debian 14 | | =6.12.38-1 || =6.12.41-1 || =6.12.43-1 || =6.12.43-1~bpo12+1 || =6.12.48-1 || =6.12.57-1 || =6.12.57-1~bpo12+1 || =6.12.63-1 || =6.12.63-1~bpo12+1 || =6.12.69-1 || =6.12.69-1~bpo12+1 || =6.12.73-1 || =6.12.73-1~bpo12+1 || =6.12.74-1 || =6.12.74-2 || =6.12.74-2~bpo12+1 || =6.13.10-1~exp1 || =6.13.11-1~exp1 || =6.13.2-1~exp1 || =6.13.3-1~exp1 || =6.13.4-1~exp1 || =6.13.5-1~exp1 || =6.13.6-1~exp1 || =6.13.7-1~exp1 || =6.13.8-1~exp1 || =6.13.9-1~exp1 || =6.13~rc6-1~exp1 || =6.13~rc7-1~exp1 || =6.14.3-1~exp1 || =6.14.5-1~exp1 || =6.14.6-1~exp1 || =6.15-1~exp1 || =6.15.1-1~exp1 || =6.15.2-1~exp1 || =6.15.3-1~exp1 || =6.15.4-1~exp1 || =6.15.5-1~exp1 || =6.15.6-1~exp1 || =6.15~rc7-1~exp1 || =6.16-1~exp1 || =6.16.1-1~exp1 || =6.16.10-1 || =6.16.11-1 || =6.16.12-1 || =6.16.12-1~bpo13+1 || =6.16.12-2 || =6.16.3-1 || =6.16.3-1~bpo13+1 || =6.16.5-1 || =6.16.6-1 || =6.16.7-1 || =6.16.8-1 || =6.16.9-1 || =6.16~rc7-1~exp1 || =6.17.10-1 || =6.17.11-1 || =6.17.12-1 || =6.17.13-1 || =6.17.13-1~bpo13+1 || =6.17.2-1~exp1 || =6.17.5-1~exp1 || =6.17.6-1 || =6.17.7-1 || =6.17.7-2 || =6.17.8-1 || =6.17.8-1~bpo13+1 || =6.17.9-1 || =6.18.1-1~exp1 || =6.18.2-1~exp1 || =6.18.3-1 || =6.18.5-1 || =6.18.5-1~bpo13+1 || =6.18.8-1 || =6.18.9-1 || =6.18.9-1~bpo13+1 || =6.18~rc4-1~exp1 || =6.18~rc4-1~exp2 || =6.18~rc5-1~exp1 || =6.18~rc6-1~exp1 || =6.18~rc7-1~exp1 || >=0 <6.18.10-1 | 6.18.10-1 |
debian 11 | | =6.1.106-3~deb11u1 || =6.1.106-3~deb11u2 || =6.1.106-3~deb11u3 || =6.1.112-1~deb11u1 || =6.1.119-1~deb11u1 || =6.1.128-1~deb11u1 || =6.1.129-1~deb11u1 || =6.1.137-1~deb11u1 || =6.1.140-1~deb11u1 || =6.1.147-1~deb11u1 || =6.1.148-1~deb11u1 || =6.1.153-1~deb11u1 || =6.1.158-1~deb11u1 || =6.1.159-1~deb11u1 || =6.1.162-1~deb11u1 || >=0 <6.1.164-1~deb11u1 | 6.1.164-1~deb11u1 |
 rpm rhel10 | | <0:6.12.0-124.49.1.el10_1 | 0:6.12.0-124.49.1.el10_1 |
rpm rhel8 | | <0:4.18.0-553.115.1.el8_10 | 0:4.18.0-553.115.1.el8_10 |
rpm rhel10.0 | | | 0:6.12.0-55.66.1.el10_0 |
rpm rhel9 | | | 0:5.14.0-611.45.1.el9_7 |
rpm rhel8 | | <0:4.18.0-553.115.1.rt7.456.el8_10 | 0:4.18.0-553.115.1.rt7.456.el8_10 |
