CVE-2024-50110

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
05/11/2024
Last modified:
08/11/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: fix one more kernel-infoleak in algo dumping<br /> <br /> During fuzz testing, the following issue was discovered:<br /> <br /> BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x598/0x2a30<br /> _copy_to_iter+0x598/0x2a30<br /> __skb_datagram_iter+0x168/0x1060<br /> skb_copy_datagram_iter+0x5b/0x220<br /> netlink_recvmsg+0x362/0x1700<br /> sock_recvmsg+0x2dc/0x390<br /> __sys_recvfrom+0x381/0x6d0<br /> __x64_sys_recvfrom+0x130/0x200<br /> x64_sys_call+0x32c8/0x3cc0<br /> do_syscall_64+0xd8/0x1c0<br /> entry_SYSCALL_64_after_hwframe+0x79/0x81<br /> <br /> Uninit was stored to memory at:<br /> copy_to_user_state_extra+0xcc1/0x1e00<br /> dump_one_state+0x28c/0x5f0<br /> xfrm_state_walk+0x548/0x11e0<br /> xfrm_dump_sa+0x1e0/0x840<br /> netlink_dump+0x943/0x1c40<br /> __netlink_dump_start+0x746/0xdb0<br /> xfrm_user_rcv_msg+0x429/0xc00<br /> netlink_rcv_skb+0x613/0x780<br /> xfrm_netlink_rcv+0x77/0xc0<br /> netlink_unicast+0xe90/0x1280<br /> netlink_sendmsg+0x126d/0x1490<br /> __sock_sendmsg+0x332/0x3d0<br /> ____sys_sendmsg+0x863/0xc30<br /> ___sys_sendmsg+0x285/0x3e0<br /> __x64_sys_sendmsg+0x2d6/0x560<br /> x64_sys_call+0x1316/0x3cc0<br /> do_syscall_64+0xd8/0x1c0<br /> entry_SYSCALL_64_after_hwframe+0x79/0x81<br /> <br /> Uninit was created at:<br /> __kmalloc+0x571/0xd30<br /> attach_auth+0x106/0x3e0<br /> xfrm_add_sa+0x2aa0/0x4230<br /> xfrm_user_rcv_msg+0x832/0xc00<br /> netlink_rcv_skb+0x613/0x780<br /> xfrm_netlink_rcv+0x77/0xc0<br /> netlink_unicast+0xe90/0x1280<br /> netlink_sendmsg+0x126d/0x1490<br /> __sock_sendmsg+0x332/0x3d0<br /> ____sys_sendmsg+0x863/0xc30<br /> ___sys_sendmsg+0x285/0x3e0<br /> __x64_sys_sendmsg+0x2d6/0x560<br /> x64_sys_call+0x1316/0x3cc0<br /> do_syscall_64+0xd8/0x1c0<br /> entry_SYSCALL_64_after_hwframe+0x79/0x81<br /> <br /> Bytes 328-379 of 732 are uninitialized<br /> Memory access of size 732 starts at ffff88800e18e000<br /> Data copied to user address 00007ff30f48aff0<br /> <br /> CPU: 2 PID: 18167 Comm: syz-executor.0 Not tainted 6.8.11 #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> <br /> Fixes copying of xfrm algorithms where some random<br /> data of the structure fields can end up in userspace.<br /> Padding in structures may be filled with random (possibly sensitve)<br /> data and should never be given directly to user-space.<br /> <br /> A similar issue was resolved in the commit<br /> 8222d5910dae ("xfrm: Zero padding when dumping algos and encap")<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.170 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.115 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.59 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.11.6 (excluding)
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*