ipv6: Fix potential uninit-value access in __ip6_make_skb()

PlaidCat · PlaidCat · commit fe3d42f1f2b5 · 2024-09-12T13:27:02.000-04:00
jira LE-1907 cve CVE-2024-36903 Rebuild_History Non-Buildable kernel-5.14.0-427.31.1.el9_4 commit-author Shigeru Yoshida <syoshida@redhat.com> commit 4e13d3a Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-427.31.1.el9_4/4e13d3a9.failed As it was done in commit fc1092f ("ipv4: Fix uninit-value access in __ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags instead of testing HDRINCL on the socket to avoid a race condition which causes uninit-value access. Fixes: ea30388 ("ipv6: Fix an uninit variable access bug in __ip6_make_skb()") Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 4e13d3a) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/ipv6/ip6_output.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-427.31.1.el9_4/4e13d3a9.failed b/ciq/ciq_backports/kernel-5.14.0-427.31.1.el9_4/4e13d3a9.failed
@@ -0,0 +1,42 @@
+ipv6: Fix potential uninit-value access in __ip6_make_skb()
+
+jira LE-1907
+cve CVE-2024-36903
+Rebuild_History Non-Buildable kernel-5.14.0-427.31.1.el9_4
+commit-author Shigeru Yoshida <syoshida@redhat.com>
+commit 4e13d3a9c25b7080f8a619f961e943fe08c2672c
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-427.31.1.el9_4/4e13d3a9.failed
+
+As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in
+__ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags
+instead of testing HDRINCL on the socket to avoid a race condition which
+causes uninit-value access.
+
+Fixes: ea30388baebc ("ipv6: Fix an uninit variable access bug in __ip6_make_skb()")
+	Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+	Signed-off-by: David S. Miller <davem@davemloft.net>
+(cherry picked from commit 4e13d3a9c25b7080f8a619f961e943fe08c2672c)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	net/ipv6/ip6_output.c
+diff --cc net/ipv6/ip6_output.c
+index 282ce383927c,fa2937732665..000000000000
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@@ -1968,7 -1932,8 +1968,12 @@@ struct sk_buff *__ip6_make_skb(struct s
+  		struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
+  		u8 icmp6_type;
+  
+++<<<<<<< HEAD
+ +		if (sk->sk_socket->type == SOCK_RAW && !inet_sk(sk)->hdrincl)
+++=======
++ 		if (sk->sk_socket->type == SOCK_RAW &&
++ 		   !(fl6->flowi6_flags & FLOWI_FLAG_KNOWN_NH))
+++>>>>>>> 4e13d3a9c25b (ipv6: Fix potential uninit-value access in __ip6_make_skb())
+  			icmp6_type = fl6->fl6_icmp_type;
+  		else
+  			icmp6_type = icmp6_hdr(skb)->icmp6_type;
+* Unmerged path net/ipv6/ip6_output.c
