Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-38538

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
19/06/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bridge: xmit: make sure we have at least eth header len bytes<br /> <br /> syzbot triggered an uninit value[1] error in bridge device&amp;#39;s xmit path<br /> by sending a short (less than ETH_HLEN bytes) skb. To fix it check if<br /> we can actually pull that amount instead of assuming.<br /> <br /> Tested with dropwatch:<br /> drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)<br /> origin: software<br /> timestamp: Mon May 13 11:31:53 2024 778214037 nsec<br /> protocol: 0x88a8<br /> length: 2<br /> original length: 2<br /> drop reason: PKT_TOO_SMALL<br /> <br /> [1]<br /> BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65<br /> br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65<br /> __netdev_start_xmit include/linux/netdevice.h:4903 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:4917 [inline]<br /> xmit_one net/core/dev.c:3531 [inline]<br /> dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547<br /> __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341<br /> dev_queue_xmit include/linux/netdevice.h:3091 [inline]<br /> __bpf_tx_skb net/core/filter.c:2136 [inline]<br /> __bpf_redirect_common net/core/filter.c:2180 [inline]<br /> __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187<br /> ____bpf_clone_redirect net/core/filter.c:2460 [inline]<br /> bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432<br /> ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997<br /> __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238<br /> bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]<br /> __bpf_prog_run include/linux/filter.h:657 [inline]<br /> bpf_prog_run include/linux/filter.h:664 [inline]<br /> bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425<br /> bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058<br /> bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269<br /> __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678<br /> __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]<br /> __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]<br /> __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765<br /> x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.10 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): High

Base Score 3.x
7.10
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.12 (including) 6.1.93 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.33 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.8.12 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.9 (including) 6.9.3 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools