Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-35893

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
19/05/2024
Last modified:
23/12/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: act_skbmod: prevent kernel-infoleak<br /> <br /> syzbot found that tcf_skbmod_dump() was copying four bytes<br /> from kernel stack to user space [1].<br /> <br /> The issue here is that &amp;#39;struct tc_skbmod&amp;#39; has a four bytes hole.<br /> <br /> We need to clear the structure before filling fields.<br /> <br /> [1]<br /> BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]<br /> BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]<br /> BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]<br /> BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]<br /> BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]<br /> BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185<br /> instrument_copy_to_user include/linux/instrumented.h:114 [inline]<br /> copy_to_user_iter lib/iov_iter.c:24 [inline]<br /> iterate_ubuf include/linux/iov_iter.h:29 [inline]<br /> iterate_and_advance2 include/linux/iov_iter.h:245 [inline]<br /> iterate_and_advance include/linux/iov_iter.h:271 [inline]<br /> _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185<br /> copy_to_iter include/linux/uio.h:196 [inline]<br /> simple_copy_to_iter net/core/datagram.c:532 [inline]<br /> __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420<br /> skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546<br /> skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]<br /> netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962<br /> sock_recvmsg_nosec net/socket.c:1046 [inline]<br /> sock_recvmsg+0x2c4/0x340 net/socket.c:1068<br /> __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242<br /> __do_sys_recvfrom net/socket.c:2260 [inline]<br /> __se_sys_recvfrom net/socket.c:2256 [inline]<br /> __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256<br /> do_syscall_64+0xd5/0x1f0<br /> entry_SYSCALL_64_after_hwframe+0x6d/0x75<br /> <br /> Uninit was stored to memory at:<br /> pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253<br /> netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317<br /> netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351<br /> nlmsg_unicast include/net/netlink.h:1144 [inline]<br /> nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610<br /> rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741<br /> rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]<br /> tcf_add_notify net/sched/act_api.c:2048 [inline]<br /> tcf_action_add net/sched/act_api.c:2071 [inline]<br /> tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119<br /> rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595<br /> netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559<br /> rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]<br /> netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361<br /> netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:745<br /> ____sys_sendmsg+0x877/0xb60 net/socket.c:2584<br /> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638<br /> __sys_sendmsg net/socket.c:2667 [inline]<br /> __do_sys_sendmsg net/socket.c:2676 [inline]<br /> __se_sys_sendmsg net/socket.c:2674 [inline]<br /> __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674<br /> do_syscall_64+0xd5/0x1f0<br /> entry_SYSCALL_64_after_hwframe+0x6d/0x75<br /> <br /> Uninit was stored to memory at:<br /> __nla_put lib/nlattr.c:1041 [inline]<br /> nla_put+0x1c6/0x230 lib/nlattr.c:1099<br /> tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256<br /> tcf_action_dump_old net/sched/act_api.c:1191 [inline]<br /> tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227<br /> tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251<br /> tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628<br /> tcf_add_notify_msg net/sched/act_api.c:2023 [inline]<br /> tcf_add_notify net/sched/act_api.c:2042 [inline]<br /> tcf_action_add net/sched/act_api.c:2071 [inline]<br /> tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119<br /> rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595<br /> netlink_rcv_skb+0x375/0x650 net/netlink/af_netli<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.9 (including) 4.19.312 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.274 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.215 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.154 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.85 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.26 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.8.5 (excluding)
cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools