Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-26663

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
02/04/2024
Last modified:
07/01/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()<br /> <br /> syzbot reported the following general protection fault [1]:<br /> <br /> general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN<br /> KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]<br /> ...<br /> RIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291<br /> ...<br /> Call Trace:<br /> <br /> tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646<br /> tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089<br /> genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972<br /> genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]<br /> genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067<br /> netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544<br /> genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]<br /> netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367<br /> netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0xd5/0x180 net/socket.c:745<br /> ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584<br /> ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638<br /> __sys_sendmsg+0x117/0x1e0 net/socket.c:2667<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> The cause of this issue is that when tipc_nl_bearer_add() is called with<br /> the TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called<br /> even if the bearer is not UDP.<br /> <br /> tipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that<br /> the media_ptr field of the tipc_bearer has an udp_bearer type object, so<br /> the function goes crazy for non-UDP bearers.<br /> <br /> This patch fixes the issue by checking the bearer type before calling<br /> tipc_udp_nl_bearer_add() in tipc_nl_bearer_add().

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.9 (including) 4.19.307 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.269 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.210 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.149 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.78 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.17 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.7.5 (excluding)
cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools