Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-42106

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
30/07/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> inet_diag: Initialize pad field in struct inet_diag_req_v2<br /> <br /> KMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw<br /> sockets uses the pad field in struct inet_diag_req_v2 for the<br /> underlying protocol. This field corresponds to the sdiag_raw_protocol<br /> field in struct inet_diag_req_raw.<br /> <br /> inet_diag_get_exact_compat() converts inet_diag_req to<br /> inet_diag_req_v2, but leaves the pad field uninitialized. So the issue<br /> occurs when raw_lookup() accesses the sdiag_raw_protocol field.<br /> <br /> Fix this by initializing the pad field in<br /> inet_diag_get_exact_compat(). Also, do the same fix in<br /> inet_diag_dump_compat() to avoid the similar issue in the future.<br /> <br /> [1]<br /> BUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]<br /> BUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71<br /> raw_lookup net/ipv4/raw_diag.c:49 [inline]<br /> raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71<br /> raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99<br /> inet_diag_cmd_exact+0x7d9/0x980<br /> inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]<br /> inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426<br /> sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282<br /> netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564<br /> sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]<br /> netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361<br /> netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x332/0x3d0 net/socket.c:745<br /> ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585<br /> ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639<br /> __sys_sendmsg net/socket.c:2668 [inline]<br /> __do_sys_sendmsg net/socket.c:2677 [inline]<br /> __se_sys_sendmsg net/socket.c:2675 [inline]<br /> __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675<br /> x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Uninit was stored to memory at:<br /> raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71<br /> raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99<br /> inet_diag_cmd_exact+0x7d9/0x980<br /> inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]<br /> inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426<br /> sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282<br /> netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564<br /> sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]<br /> netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361<br /> netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x332/0x3d0 net/socket.c:745<br /> ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585<br /> ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639<br /> __sys_sendmsg net/socket.c:2668 [inline]<br /> __do_sys_sendmsg net/socket.c:2677 [inline]<br /> __se_sys_sendmsg net/socket.c:2675 [inline]<br /> __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675<br /> x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Local variable req.i created at:<br /> inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]<br /> inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426<br /> sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282<br /> <br /> CPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.10 (including) 4.19.318 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.280 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.222 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.163 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.98 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.39 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.9.9 (excluding)
cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools