Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-56663

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/12/2024
Last modified:
06/01/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one<br /> <br /> Since the netlink attribute range validation provides inclusive<br /> checking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be<br /> IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one.<br /> <br /> One crash stack for demonstration:<br /> ==================================================================<br /> BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939<br /> Read of size 6 at addr 001102080000000c by task fuzzer.386/9508<br /> <br /> CPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106<br /> print_report+0xe0/0x750 mm/kasan/report.c:398<br /> kasan_report+0x139/0x170 mm/kasan/report.c:495<br /> kasan_check_range+0x287/0x290 mm/kasan/generic.c:189<br /> memcpy+0x25/0x60 mm/kasan/shadow.c:65<br /> ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939<br /> rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline]<br /> nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453<br /> genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756<br /> genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]<br /> genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850<br /> netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508<br /> genl_rcv+0x24/0x40 net/netlink/genetlink.c:861<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]<br /> netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352<br /> netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874<br /> sock_sendmsg_nosec net/socket.c:716 [inline]<br /> __sock_sendmsg net/socket.c:728 [inline]<br /> ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499<br /> ___sys_sendmsg+0x21c/0x290 net/socket.c:2553<br /> __sys_sendmsg net/socket.c:2582 [inline]<br /> __do_sys_sendmsg net/socket.c:2591 [inline]<br /> __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Update the policy to ensure correct validation.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.10 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): High

Base Score 3.x
7.10
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.19.2 (including) 5.20 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.0 (including) 6.1.121 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.67 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.6 (excluding)
cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools