CVE-2024-50110
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
05/11/2024
Last modified:
08/11/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
xfrm: fix one more kernel-infoleak in algo dumping<br />
<br />
During fuzz testing, the following issue was discovered:<br />
<br />
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x598/0x2a30<br />
_copy_to_iter+0x598/0x2a30<br />
__skb_datagram_iter+0x168/0x1060<br />
skb_copy_datagram_iter+0x5b/0x220<br />
netlink_recvmsg+0x362/0x1700<br />
sock_recvmsg+0x2dc/0x390<br />
__sys_recvfrom+0x381/0x6d0<br />
__x64_sys_recvfrom+0x130/0x200<br />
x64_sys_call+0x32c8/0x3cc0<br />
do_syscall_64+0xd8/0x1c0<br />
entry_SYSCALL_64_after_hwframe+0x79/0x81<br />
<br />
Uninit was stored to memory at:<br />
copy_to_user_state_extra+0xcc1/0x1e00<br />
dump_one_state+0x28c/0x5f0<br />
xfrm_state_walk+0x548/0x11e0<br />
xfrm_dump_sa+0x1e0/0x840<br />
netlink_dump+0x943/0x1c40<br />
__netlink_dump_start+0x746/0xdb0<br />
xfrm_user_rcv_msg+0x429/0xc00<br />
netlink_rcv_skb+0x613/0x780<br />
xfrm_netlink_rcv+0x77/0xc0<br />
netlink_unicast+0xe90/0x1280<br />
netlink_sendmsg+0x126d/0x1490<br />
__sock_sendmsg+0x332/0x3d0<br />
____sys_sendmsg+0x863/0xc30<br />
___sys_sendmsg+0x285/0x3e0<br />
__x64_sys_sendmsg+0x2d6/0x560<br />
x64_sys_call+0x1316/0x3cc0<br />
do_syscall_64+0xd8/0x1c0<br />
entry_SYSCALL_64_after_hwframe+0x79/0x81<br />
<br />
Uninit was created at:<br />
__kmalloc+0x571/0xd30<br />
attach_auth+0x106/0x3e0<br />
xfrm_add_sa+0x2aa0/0x4230<br />
xfrm_user_rcv_msg+0x832/0xc00<br />
netlink_rcv_skb+0x613/0x780<br />
xfrm_netlink_rcv+0x77/0xc0<br />
netlink_unicast+0xe90/0x1280<br />
netlink_sendmsg+0x126d/0x1490<br />
__sock_sendmsg+0x332/0x3d0<br />
____sys_sendmsg+0x863/0xc30<br />
___sys_sendmsg+0x285/0x3e0<br />
__x64_sys_sendmsg+0x2d6/0x560<br />
x64_sys_call+0x1316/0x3cc0<br />
do_syscall_64+0xd8/0x1c0<br />
entry_SYSCALL_64_after_hwframe+0x79/0x81<br />
<br />
Bytes 328-379 of 732 are uninitialized<br />
Memory access of size 732 starts at ffff88800e18e000<br />
Data copied to user address 00007ff30f48aff0<br />
<br />
CPU: 2 PID: 18167 Comm: syz-executor.0 Not tainted 6.8.11 #1<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br />
<br />
Fixes copying of xfrm algorithms where some random<br />
data of the structure fields can end up in userspace.<br />
Padding in structures may be filled with random (possibly sensitve)<br />
data and should never be given directly to user-space.<br />
<br />
A similar issue was resolved in the commit<br />
8222d5910dae ("xfrm: Zero padding when dumping algos and encap")<br />
<br />
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.170 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.115 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.59 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.11.6 (excluding) |
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1e8fbd2441cb2ea28d6825f2985bf7d84af060bb
- https://git.kernel.org/stable/c/610d4cea9b442b22b4820695fc3335e64849725e
- https://git.kernel.org/stable/c/6889cd2a93e1e3606b3f6e958aa0924e836de4d2
- https://git.kernel.org/stable/c/c73bca72b84b453c8d26a5e7673b20adb294bf54
- https://git.kernel.org/stable/c/dc2ad8e8818e4bf1a93db78d81745b4877b32972