geneve: fix header validation in geneve[6]_xmit_skb

Summary

CVE	CVE-2024-35973
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2024-05-20 10:15:12 UTC
Updated	2026-05-12 12:16:44 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: geneve: fix header validation in geneve[6]_xmit_skb syzbot is able to trigger an uninit-value in geneve_xmit() [1] Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield()) uses skb_protocol(skb, true), pskb_inet_may_pull() is only using skb->protocol. If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol, pskb_inet_may_pull() does nothing at all. If a vlan tag was provided by the caller (af_packet in the syzbot case), the network header might not point to the correct location, and skb linear part could be smaller than expected. Add skb_vlan_inet_prepare() to perform a complete mac validation. Use this in geneve for the moment, I suspect we need to adopt this more broadly. v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest - Only call __vlan_get_protocol() for vlan types. v2,v3 - Addressed Sabrina comments on v1 and v2 [1] BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline] BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 geneve_xmit_skb drivers/net/geneve.c:910 [inline] geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 packet_alloc_skb net/packet/af_packet.c:2930 [inline] packet_snd net/packet/af_packet.c:3024 [inline] packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from ADP

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-908 | CWE-noinfo Not enough information

Version	Source	Type	Score	Severity	Vector
3.1	ADP	DECLARED	5.5	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H`
3.1	134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	5.5	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H`

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 35385daa8db320d2d9664930c28e732578b0d7de 43be590456e1f3566054ce78ae2dbb68cbe1a536 git	Not specified
CNA	Linux	Linux	affected 6f92124d74419797fadfbcd5b7a72c384a6413ad d3adf11d7993518a39bd02b383cfe657ccc0023c git	Not specified
CNA	Linux	Linux	affected 71ad9260c001b217d704cda88ecea251b2d367da 10204df9beda4978bd1d0c2db0d8375bfb03b915 git	Not specified
CNA	Linux	Linux	affected d13f048dd40e8577260cd43faea8ec9b77520197 3c1ae6de74e3d2d6333d29a2d3e13e6094596c79 git	Not specified
CNA	Linux	Linux	affected d13f048dd40e8577260cd43faea8ec9b77520197 4a1b65d1e55d53b397cb27014208be1e04172670 git	Not specified
CNA	Linux	Linux	affected d13f048dd40e8577260cd43faea8ec9b77520197 190d9efa5773f26d6f334b1b8be282c4fa13fd5e git	Not specified
CNA	Linux	Linux	affected d13f048dd40e8577260cd43faea8ec9b77520197 357163fff3a6e48fe74745425a32071ec9caf852 git	Not specified
CNA	Linux	Linux	affected d13f048dd40e8577260cd43faea8ec9b77520197 d8a6213d70accb403b82924a1c229e733433a5ef git	Not specified
CNA	Linux	Linux	affected 9a51e36ebf433adf59c051bec33f5aa54640bb4d git	Not specified
CNA	Linux	Linux	affected 21815f28af8081b258552c111774ff320cf38d38 git	Not specified
CNA	Linux	Linux	affected 5.13	Not specified
CNA	Linux	Linux	unaffected 5.13 semver	Not specified
CNA	Linux	Linux	unaffected 4.19.313 4.19.* semver	Not specified
CNA	Linux	Linux	unaffected 5.4.275 5.4.* semver	Not specified
CNA	Linux	Linux	unaffected 5.10.216 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.156 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.87 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.28 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.8.7 6.8.* semver	Not specified
CNA	Linux	Linux	unaffected 6.9 * original_commit_for_fix	Not specified
ADP	Siemens	RUGGEDCOM RST2428P	affected V3.1 custom	Not specified
ADP	Siemens	SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 Family	unaffected * custom	Not specified
ADP	Siemens	SCALANCE XCM-/XRM-/XCH-/XRH-300 Family	affected V3.1 custom	Not specified
ADP	Siemens	SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem	affected * custom	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
lists.debian.org/debian-lts-announce/2024/06/msg00017.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org	Mailing List, Third Party Advisory
cert-portal.siemens.com/productcert/html/ssa-265688.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
cert-portal.siemens.com/productcert/html/ssa-613116.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
lists.debian.org/debian-lts-announce/2024/06/msg00020.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org	Mailing List, Third Party Advisory
git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.