CVE-2024-53212

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netlink: fix false positive warning in extack during dumps<br /> <br /> Commit under fixes extended extack reporting to dumps.<br /> It works under normal conditions, because extack errors are<br /> usually reported during -&gt;start() or the first -&gt;dump(),<br /> it&amp;#39;s quite rare that the dump starts okay but fails later.<br /> If the dump does fail later, however, the input skb will<br /> already have the initiating message pulled, so checking<br /> if bad attr falls within skb-&gt;data will fail.<br /> <br /> Switch the check to using nlh, which is always valid.<br /> <br /> syzbot found a way to hit that scenario by filling up<br /> the receive queue. In this case we initiate a dump<br /> but don&amp;#39;t call -&gt;dump() until there is read space for<br /> an skb.<br /> <br /> WARNING: CPU: 1 PID: 5845 at net/netlink/af_netlink.c:2210 netlink_ack_tlv_fill+0x1a8/0x560 net/netlink/af_netlink.c:2209<br /> RIP: 0010:netlink_ack_tlv_fill+0x1a8/0x560 net/netlink/af_netlink.c:2209<br /> Call Trace:<br /> <br /> netlink_dump_done+0x513/0x970 net/netlink/af_netlink.c:2250<br /> netlink_dump+0x91f/0xe10 net/netlink/af_netlink.c:2351<br /> netlink_recvmsg+0x6bb/0x11d0 net/netlink/af_netlink.c:1983<br /> sock_recvmsg_nosec net/socket.c:1051 [inline]<br /> sock_recvmsg+0x22f/0x280 net/socket.c:1073<br /> __sys_recvfrom+0x246/0x3d0 net/socket.c:2267<br /> __do_sys_recvfrom net/socket.c:2285 [inline]<br /> __se_sys_recvfrom net/socket.c:2281 [inline]<br /> __x64_sys_recvfrom+0xde/0x100 net/socket.c:2281<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7ff37dd17a79