CVE-2024-44999
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/09/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
gtp: pull network headers in gtp_dev_xmit()<br />
<br />
syzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1]<br />
<br />
We must make sure the IPv4 or Ipv6 header is pulled in skb->head<br />
before accessing fields in them.<br />
<br />
Use pskb_inet_may_pull() to fix this issue.<br />
<br />
[1]<br />
BUG: KMSAN: uninit-value in ipv6_pdp_find drivers/net/gtp.c:220 [inline]<br />
BUG: KMSAN: uninit-value in gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]<br />
BUG: KMSAN: uninit-value in gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281<br />
ipv6_pdp_find drivers/net/gtp.c:220 [inline]<br />
gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]<br />
gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281<br />
__netdev_start_xmit include/linux/netdevice.h:4913 [inline]<br />
netdev_start_xmit include/linux/netdevice.h:4922 [inline]<br />
xmit_one net/core/dev.c:3580 [inline]<br />
dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596<br />
__dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423<br />
dev_queue_xmit include/linux/netdevice.h:3105 [inline]<br />
packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276<br />
packet_snd net/packet/af_packet.c:3145 [inline]<br />
packet_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177<br />
sock_sendmsg_nosec net/socket.c:730 [inline]<br />
__sock_sendmsg+0x30f/0x380 net/socket.c:745<br />
__sys_sendto+0x685/0x830 net/socket.c:2204<br />
__do_sys_sendto net/socket.c:2216 [inline]<br />
__se_sys_sendto net/socket.c:2212 [inline]<br />
__x64_sys_sendto+0x125/0x1d0 net/socket.c:2212<br />
x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
Uninit was created at:<br />
slab_post_alloc_hook mm/slub.c:3994 [inline]<br />
slab_alloc_node mm/slub.c:4037 [inline]<br />
kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080<br />
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583<br />
__alloc_skb+0x363/0x7b0 net/core/skbuff.c:674<br />
alloc_skb include/linux/skbuff.h:1320 [inline]<br />
alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526<br />
sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815<br />
packet_alloc_skb net/packet/af_packet.c:2994 [inline]<br />
packet_snd net/packet/af_packet.c:3088 [inline]<br />
packet_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177<br />
sock_sendmsg_nosec net/socket.c:730 [inline]<br />
__sock_sendmsg+0x30f/0x380 net/socket.c:745<br />
__sys_sendto+0x685/0x830 net/socket.c:2204<br />
__do_sys_sendto net/socket.c:2216 [inline]<br />
__se_sys_sendto net/socket.c:2212 [inline]<br />
__x64_sys_sendto+0x125/0x1d0 net/socket.c:2212<br />
x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
CPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 Not tainted 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.7 (including) | 4.19.321 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.283 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.225 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.166 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.107 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.48 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.10.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/137d565ab89ce3584503b443bc9e00d44f482593
- https://git.kernel.org/stable/c/1f6b62392453d8f36685d19b761307a8c5617ac1
- https://git.kernel.org/stable/c/34ba4f29f3d9eb52dee37512059efb2afd7e966f
- https://git.kernel.org/stable/c/3939d787139e359b77aaf9485d1e145d6713d7b9
- https://git.kernel.org/stable/c/3a3be7ff9224f424e485287b54be00d2c6bd9c40
- https://git.kernel.org/stable/c/3d89d0c4a1c6d4d2a755e826351b0a101dbc86f3
- https://git.kernel.org/stable/c/cbb9a969fc190e85195d1b0f08038e7f6199044e
- https://git.kernel.org/stable/c/f5dda8db382c5751c4e572afc7c99df7da1f83ca
- https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html