CVE-2024-42076
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
29/07/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: can: j1939: Initialize unused data in j1939_send_one()<br />
<br />
syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()<br />
creates full frame including unused data, but it doesn&#39;t initialize<br />
it. This causes the kernel-infoleak issue. Fix this by initializing<br />
unused data.<br />
<br />
[1]<br />
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]<br />
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]<br />
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]<br />
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]<br />
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]<br />
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185<br />
instrument_copy_to_user include/linux/instrumented.h:114 [inline]<br />
copy_to_user_iter lib/iov_iter.c:24 [inline]<br />
iterate_ubuf include/linux/iov_iter.h:29 [inline]<br />
iterate_and_advance2 include/linux/iov_iter.h:245 [inline]<br />
iterate_and_advance include/linux/iov_iter.h:271 [inline]<br />
_copy_to_iter+0x366/0x2520 lib/iov_iter.c:185<br />
copy_to_iter include/linux/uio.h:196 [inline]<br />
memcpy_to_msg include/linux/skbuff.h:4113 [inline]<br />
raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008<br />
sock_recvmsg_nosec net/socket.c:1046 [inline]<br />
sock_recvmsg+0x2c4/0x340 net/socket.c:1068<br />
____sys_recvmsg+0x18a/0x620 net/socket.c:2803<br />
___sys_recvmsg+0x223/0x840 net/socket.c:2845<br />
do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939<br />
__sys_recvmmsg net/socket.c:3018 [inline]<br />
__do_sys_recvmmsg net/socket.c:3041 [inline]<br />
__se_sys_recvmmsg net/socket.c:3034 [inline]<br />
__x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034<br />
x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
Uninit was created at:<br />
slab_post_alloc_hook mm/slub.c:3804 [inline]<br />
slab_alloc_node mm/slub.c:3845 [inline]<br />
kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888<br />
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577<br />
__alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668<br />
alloc_skb include/linux/skbuff.h:1313 [inline]<br />
alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504<br />
sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795<br />
sock_alloc_send_skb include/net/sock.h:1842 [inline]<br />
j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]<br />
j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]<br />
j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277<br />
sock_sendmsg_nosec net/socket.c:730 [inline]<br />
__sock_sendmsg+0x30f/0x380 net/socket.c:745<br />
____sys_sendmsg+0x877/0xb60 net/socket.c:2584<br />
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638<br />
__sys_sendmsg net/socket.c:2667 [inline]<br />
__do_sys_sendmsg net/socket.c:2676 [inline]<br />
__se_sys_sendmsg net/socket.c:2674 [inline]<br />
__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674<br />
x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
Bytes 12-15 of 16 are uninitialized<br />
Memory access of size 16 starts at ffff888120969690<br />
Data copied to user address 00000000200017c0<br />
<br />
CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.1 (including) | 5.4.279 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.221 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.162 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.97 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.37 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.9.8 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/4c5dc3927e17489c1cae6f48c0d5e4acb4cae01f
- https://git.kernel.org/stable/c/5e4ed38eb17eaca42de57d500cc0f9668d2b6abf
- https://git.kernel.org/stable/c/a2a0ebff7fdeb2f66e29335adf64b9e457300dd4
- https://git.kernel.org/stable/c/ab2a683938ba4416d389c2f5651cbbb2c41b779f
- https://git.kernel.org/stable/c/b7cdf1dd5d2a2d8200efd98d1893684db48fe134
- https://git.kernel.org/stable/c/ba7e5ae8208ac07d8e1eace0951a34c169a2d298
- https://git.kernel.org/stable/c/f97cbce633923588307049c4aef9feb2987e371b
- https://git.kernel.org/stable/c/4c5dc3927e17489c1cae6f48c0d5e4acb4cae01f
- https://git.kernel.org/stable/c/5e4ed38eb17eaca42de57d500cc0f9668d2b6abf
- https://git.kernel.org/stable/c/a2a0ebff7fdeb2f66e29335adf64b9e457300dd4
- https://git.kernel.org/stable/c/ab2a683938ba4416d389c2f5651cbbb2c41b779f
- https://git.kernel.org/stable/c/b7cdf1dd5d2a2d8200efd98d1893684db48fe134
- https://git.kernel.org/stable/c/ba7e5ae8208ac07d8e1eace0951a34c169a2d298
- https://git.kernel.org/stable/c/f97cbce633923588307049c4aef9feb2987e371b
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html