CVE-2024-26633
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/03/2024
Last modified:
04/04/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()<br />
<br />
syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.<br />
<br />
Reading frag_off can only be done if we pulled enough bytes<br />
to skb->head. Currently we might access garbage.<br />
<br />
[1]<br />
BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0<br />
ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0<br />
ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]<br />
ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432<br />
__netdev_start_xmit include/linux/netdevice.h:4940 [inline]<br />
netdev_start_xmit include/linux/netdevice.h:4954 [inline]<br />
xmit_one net/core/dev.c:3548 [inline]<br />
dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564<br />
__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349<br />
dev_queue_xmit include/linux/netdevice.h:3134 [inline]<br />
neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592<br />
neigh_output include/net/neighbour.h:542 [inline]<br />
ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137<br />
ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222<br />
NF_HOOK_COND include/linux/netfilter.h:303 [inline]<br />
ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243<br />
dst_output include/net/dst.h:451 [inline]<br />
ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155<br />
ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]<br />
ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972<br />
rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582<br />
rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920<br />
inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847<br />
sock_sendmsg_nosec net/socket.c:730 [inline]<br />
__sock_sendmsg net/socket.c:745 [inline]<br />
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584<br />
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638<br />
__sys_sendmsg net/socket.c:2667 [inline]<br />
__do_sys_sendmsg net/socket.c:2676 [inline]<br />
__se_sys_sendmsg net/socket.c:2674 [inline]<br />
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x63/0x6b<br />
<br />
Uninit was created at:<br />
slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768<br />
slab_alloc_node mm/slub.c:3478 [inline]<br />
__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517<br />
__do_kmalloc_node mm/slab_common.c:1006 [inline]<br />
__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027<br />
kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582<br />
pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098<br />
__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655<br />
pskb_may_pull_reason include/linux/skbuff.h:2673 [inline]<br />
pskb_may_pull include/linux/skbuff.h:2681 [inline]<br />
ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408<br />
ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]<br />
ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432<br />
__netdev_start_xmit include/linux/netdevice.h:4940 [inline]<br />
netdev_start_xmit include/linux/netdevice.h:4954 [inline]<br />
xmit_one net/core/dev.c:3548 [inline]<br />
dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564<br />
__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349<br />
dev_queue_xmit include/linux/netdevice.h:3134 [inline]<br />
neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592<br />
neigh_output include/net/neighbour.h:542 [inline]<br />
ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137<br />
ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222<br />
NF_HOOK_COND include/linux/netfilter.h:303 [inline]<br />
ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243<br />
dst_output include/net/dst.h:451 [inline]<br />
ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155<br />
ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]<br />
ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972<br />
rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582<br />
rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920<br />
inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847<br />
sock_sendmsg_nosec net/socket.c:730 [inline]<br />
__sock_sendmsg net/socket.c:745 [inline]<br />
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584<br />
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638<br />
__sys_sendmsg net/socket.c:2667 [inline]<br />
__do_sys_sendms<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.10 (including) | 4.19.306 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.268 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.209 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.148 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.75 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.14 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.7.2 (excluding) |
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:ontap_tools:9:*:*:*:*:vmware_vsphere:*:* | ||
| cpe:2.3:o:netapp:a1k_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:netapp:a1k:*:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netapp:a70_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:netapp:a70:*:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netapp:a90_firmware:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/135414f300c5db995e2a2f3bf0f455de9d014aee
- https://git.kernel.org/stable/c/3f15ba3dc14e6ee002ea01b4faddc3d49200377c
- https://git.kernel.org/stable/c/4329426cf6b8e22b798db2331c7ef1dd2a9c748d
- https://git.kernel.org/stable/c/62a1fedeb14c7ac0947ef33fadbabd35ed2400a2
- https://git.kernel.org/stable/c/687c5d52fe53e602e76826dbd4d7af412747e183
- https://git.kernel.org/stable/c/ba8d904c274268b18ef3dc11d3ca7b24a96cb087
- https://git.kernel.org/stable/c/d375b98e0248980681e5e56b712026174d617198
- https://git.kernel.org/stable/c/da23bd709b46168f7dfc36055801011222b076cd
- https://git.kernel.org/stable/c/135414f300c5db995e2a2f3bf0f455de9d014aee
- https://git.kernel.org/stable/c/3f15ba3dc14e6ee002ea01b4faddc3d49200377c
- https://git.kernel.org/stable/c/4329426cf6b8e22b798db2331c7ef1dd2a9c748d
- https://git.kernel.org/stable/c/62a1fedeb14c7ac0947ef33fadbabd35ed2400a2
- https://git.kernel.org/stable/c/687c5d52fe53e602e76826dbd4d7af412747e183
- https://git.kernel.org/stable/c/ba8d904c274268b18ef3dc11d3ca7b24a96cb087
- https://git.kernel.org/stable/c/d375b98e0248980681e5e56b712026174d617198
- https://git.kernel.org/stable/c/da23bd709b46168f7dfc36055801011222b076cd
- https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
- https://security.netapp.com/advisory/ntap-20241220-0001/