CVE-2024-57802

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netrom: check buffer length before accessing it<br /> <br /> Syzkaller reports an uninit value read from ax25cmp when sending raw message<br /> through ieee802154 implementation.<br /> <br /> =====================================================<br /> BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119<br /> ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119<br /> nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601<br /> nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774<br /> nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144<br /> __netdev_start_xmit include/linux/netdevice.h:4940 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:4954 [inline]<br /> xmit_one net/core/dev.c:3548 [inline]<br /> dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564<br /> __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349<br /> dev_queue_xmit include/linux/netdevice.h:3134 [inline]<br /> raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299<br /> ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg net/socket.c:745 [inline]<br /> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584<br /> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638<br /> __sys_sendmsg net/socket.c:2667 [inline]<br /> __do_sys_sendmsg net/socket.c:2676 [inline]<br /> __se_sys_sendmsg net/socket.c:2674 [inline]<br /> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768<br /> slab_alloc_node mm/slub.c:3478 [inline]<br /> kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523<br /> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560<br /> __alloc_skb+0x318/0x740 net/core/skbuff.c:651<br /> alloc_skb include/linux/skbuff.h:1286 [inline]<br /> alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334<br /> sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780<br /> sock_alloc_send_skb include/net/sock.h:1884 [inline]<br /> raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282<br /> ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg net/socket.c:745 [inline]<br /> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584<br /> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638<br /> __sys_sendmsg net/socket.c:2667 [inline]<br /> __do_sys_sendmsg net/socket.c:2676 [inline]<br /> __se_sys_sendmsg net/socket.c:2674 [inline]<br /> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023<br /> =====================================================<br /> <br /> This issue occurs because the skb buffer is too small, and it&amp;#39;s actual<br /> allocation is aligned. This hides an actual issue, which is that nr_route_frame<br /> does not validate the buffer size before using it.<br /> <br /> Fix this issue by checking skb-&gt;len before accessing any fields in skb-&gt;data.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.