CVE-2024-36927

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv4: Fix uninit-value access in __ip_make_skb()<br /> <br /> KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()<br /> tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a<br /> race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL<br /> while __ip_make_skb() is running, the function will access icmphdr in the<br /> skb even if it is not included. This causes the issue reported by KMSAN.<br /> <br /> Check FLOWI_FLAG_KNOWN_NH on fl4-&gt;flowi4_flags instead of testing HDRINCL<br /> on the socket.<br /> <br /> Also, fl4-&gt;fl4_icmp_type and fl4-&gt;fl4_icmp_code are not initialized. These<br /> are union in struct flowi4 and are implicitly initialized by<br /> flowi4_init_output(), but we should not rely on specific union layout.<br /> <br /> Initialize these explicitly in raw_sendmsg().<br /> <br /> [1]<br /> BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481<br /> __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481<br /> ip_finish_skb include/net/ip.h:243 [inline]<br /> ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508<br /> raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654<br /> inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x274/0x3c0 net/socket.c:745<br /> __sys_sendto+0x62c/0x7b0 net/socket.c:2191<br /> __do_sys_sendto net/socket.c:2203 [inline]<br /> __se_sys_sendto net/socket.c:2199 [inline]<br /> __x64_sys_sendto+0x130/0x200 net/socket.c:2199<br /> do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x6d/0x75<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slub.c:3804 [inline]<br /> slab_alloc_node mm/slub.c:3845 [inline]<br /> kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888<br /> kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577<br /> __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668<br /> alloc_skb include/linux/skbuff.h:1318 [inline]<br /> __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128<br /> ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365<br /> raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648<br /> inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x274/0x3c0 net/socket.c:745<br /> __sys_sendto+0x62c/0x7b0 net/socket.c:2191<br /> __do_sys_sendto net/socket.c:2203 [inline]<br /> __se_sys_sendto net/socket.c:2199 [inline]<br /> __x64_sys_sendto+0x130/0x200 net/socket.c:2199<br /> do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x6d/0x75<br /> <br /> CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014