Bug 1222421 (CVE-2024-26707) - VUL-0: CVE-2024-26707: kernel: net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()
Summary: VUL-0: CVE-2024-26707: kernel: net: hsr: remove WARN_ONCE() in send_hsr_super...
Status: NEW
Alias: CVE-2024-26707
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/400178/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26707:5.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-08 06:51 UTC by SMASH SMASH
Modified: 2024-07-03 07:44 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
stoyan.manolov: needinfo? (mkubecek)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-04-08 06:51:29 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()

Syzkaller reported [1] hitting a warning after failing to allocate
resources for skb in hsr_init_skb(). Since a WARN_ONCE() call will
not help much in this case, it might be prudent to switch to
netdev_warn_once(). At the very least it will suppress syzkaller
reports such as [1].

Just in case, use netdev_warn_once() in send_prp_supervision_frame()
for similar reasons.

[1]
HSR: Could not send supervision frame
WARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294
RIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294
...
Call Trace:
 <IRQ>
 hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382
 call_timer_fn+0x193/0x590 kernel/time/timer.c:1700
 expire_timers kernel/time/timer.c:1751 [inline]
 __run_timers+0x764/0xb20 kernel/time/timer.c:2022
 run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
 __do_softirq+0x21a/0x8de kernel/softirq.c:553
 invoke_softirq kernel/softirq.c:427 [inline]
 __irq_exit_rcu kernel/softirq.c:632 [inline]
 irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
 sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
...

This issue is also found in older kernels (at least up to 5.10).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26707
https://www.cve.org/CVERecord?id=CVE-2024-26707
https://git.kernel.org/stable/c/0d8011a878fdf96123bc0d6a12e2fe7ced5fddfb
https://git.kernel.org/stable/c/37e8c97e539015637cb920d3e6f1e404f707a06e
https://git.kernel.org/stable/c/547545e50c913861219947ce490c68a1776b9b51
https://git.kernel.org/stable/c/56440799fc4621c279df16176f83a995d056023a
https://git.kernel.org/stable/c/923dea2a7ea9e1ef5ac4031fba461c1cc92e32b8
https://git.kernel.org/stable/c/de769423b2f053182a41317c4db5a927e90622a0
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-26707.mbox
https://bugzilla.redhat.com/show_bug.cgi?id=2273168
Comment 4 Michal Hocko 2024-07-03 07:44:14 UTC 
This patch is only removing WARN_ON and that is not considered a security threat because we neither enable panic_on_warn nor recommend that configuration in production systems.