CVE-2024-56650

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: x_tables: fix LED ID check in led_tg_check()<br /> <br /> Syzbot has reported the following BUG detected by KASAN:<br /> <br /> BUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70<br /> Read of size 1 at addr ffff8881022da0c8 by task repro/5879<br /> ...<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x241/0x360<br /> ? __pfx_dump_stack_lvl+0x10/0x10<br /> ? __pfx__printk+0x10/0x10<br /> ? _printk+0xd5/0x120<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __virt_addr_valid+0x183/0x530<br /> print_report+0x169/0x550<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __virt_addr_valid+0x45f/0x530<br /> ? __phys_addr+0xba/0x170<br /> ? strlen+0x58/0x70<br /> kasan_report+0x143/0x180<br /> ? strlen+0x58/0x70<br /> strlen+0x58/0x70<br /> kstrdup+0x20/0x80<br /> led_tg_check+0x18b/0x3c0<br /> xt_check_target+0x3bb/0xa40<br /> ? __pfx_xt_check_target+0x10/0x10<br /> ? stack_depot_save_flags+0x6e4/0x830<br /> ? nft_target_init+0x174/0xc30<br /> nft_target_init+0x82d/0xc30<br /> ? __pfx_nft_target_init+0x10/0x10<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? rcu_is_watching+0x15/0xb0<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? __kmalloc_noprof+0x21a/0x400<br /> nf_tables_newrule+0x1860/0x2980<br /> ? __pfx_nf_tables_newrule+0x10/0x10<br /> ? __nla_parse+0x40/0x60<br /> nfnetlink_rcv+0x14e5/0x2ab0<br /> ? __pfx_validate_chain+0x10/0x10<br /> ? __pfx_nfnetlink_rcv+0x10/0x10<br /> ? __lock_acquire+0x1384/0x2050<br /> ? netlink_deliver_tap+0x2e/0x1b0<br /> ? __pfx_lock_release+0x10/0x10<br /> ? netlink_deliver_tap+0x2e/0x1b0<br /> netlink_unicast+0x7f8/0x990<br /> ? __pfx_netlink_unicast+0x10/0x10<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __check_object_size+0x48e/0x900<br /> netlink_sendmsg+0x8e4/0xcb0<br /> ? __pfx_netlink_sendmsg+0x10/0x10<br /> ? aa_sock_msg_perm+0x91/0x160<br /> ? __pfx_netlink_sendmsg+0x10/0x10<br /> __sock_sendmsg+0x223/0x270<br /> ____sys_sendmsg+0x52a/0x7e0<br /> ? __pfx_____sys_sendmsg+0x10/0x10<br /> __sys_sendmsg+0x292/0x380<br /> ? __pfx___sys_sendmsg+0x10/0x10<br /> ? lockdep_hardirqs_on_prepare+0x43d/0x780<br /> ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10<br /> ? exc_page_fault+0x590/0x8c0<br /> ? do_syscall_64+0xb6/0x230<br /> do_syscall_64+0xf3/0x230<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> ...<br /> <br /> <br /> Since an invalid (without &amp;#39;\0&amp;#39; byte at all) byte sequence may be passed<br /> from userspace, add an extra check to ensure that such a sequence is<br /> rejected as possible ID and so never passed to &amp;#39;kstrdup()&amp;#39; and further.