cve-2024-35893
Vulnerability from cvelistv5
Published
2024-05-19 08:34
Modified
2024-12-19 08:57
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbmod: prevent kernel-infoleak syzbot found that tcf_skbmod_dump() was copying four bytes from kernel stack to user space [1]. The issue here is that 'struct tc_skbmod' has a four bytes hole. We need to clear the structure before filling fields. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 copy_to_iter include/linux/uio.h:196 [inline] simple_copy_to_iter net/core/datagram.c:532 [inline] __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline] netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242 __do_sys_recvfrom net/socket.c:2260 [inline] __se_sys_recvfrom net/socket.c:2256 [inline] __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253 netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317 netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351 nlmsg_unicast include/net/netlink.h:1144 [inline] nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610 rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741 rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline] tcf_add_notify net/sched/act_api.c:2048 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: __nla_put lib/nlattr.c:1041 [inline] nla_put+0x1c6/0x230 lib/nlattr.c:1099 tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256 tcf_action_dump_old net/sched/act_api.c:1191 [inline] tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227 tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251 tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628 tcf_add_notify_msg net/sched/act_api.c:2023 [inline] tcf_add_notify net/sched/act_api.c:2042 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netli ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
Impacted products
Vendor Product Version
Linux Linux Version: 4.9
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35893",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-23T19:31:02.298124Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:34:34.282Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:48.968Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/act_skbmod.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f190a4aa03cbd518bd9c62a66e1233984f5fd2ec",
              "status": "affected",
              "version": "86da71b57383d40993cb90baafb3735cffe5d800",
              "versionType": "git"
            },
            {
              "lessThan": "f356eb2fb567e0931143ac1769ac802d3b3e2077",
              "status": "affected",
              "version": "86da71b57383d40993cb90baafb3735cffe5d800",
              "versionType": "git"
            },
            {
              "lessThan": "5e45dc4408857305f4685abfd7a528a1e58b51b5",
              "status": "affected",
              "version": "86da71b57383d40993cb90baafb3735cffe5d800",
              "versionType": "git"
            },
            {
              "lessThan": "a097fc199ab5f4b5392c5144034c0d2148b55a14",
              "status": "affected",
              "version": "86da71b57383d40993cb90baafb3735cffe5d800",
              "versionType": "git"
            },
            {
              "lessThan": "55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366",
              "status": "affected",
              "version": "86da71b57383d40993cb90baafb3735cffe5d800",
              "versionType": "git"
            },
            {
              "lessThan": "729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924",
              "status": "affected",
              "version": "86da71b57383d40993cb90baafb3735cffe5d800",
              "versionType": "git"
            },
            {
              "lessThan": "7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c",
              "status": "affected",
              "version": "86da71b57383d40993cb90baafb3735cffe5d800",
              "versionType": "git"
            },
            {
              "lessThan": "d313eb8b77557a6d5855f42d2234bd592c7b50dd",
              "status": "affected",
              "version": "86da71b57383d40993cb90baafb3735cffe5d800",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/act_skbmod.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.312",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.274",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.215",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.154",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that \u0027struct tc_skbmod\u0027 has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n  instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  copy_to_user_iter lib/iov_iter.c:24 [inline]\n  iterate_ubuf include/linux/iov_iter.h:29 [inline]\n  iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n  iterate_and_advance include/linux/iov_iter.h:271 [inline]\n  _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n  copy_to_iter include/linux/uio.h:196 [inline]\n  simple_copy_to_iter net/core/datagram.c:532 [inline]\n  __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n  skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n  skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n  netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\n  sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n  __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n  __do_sys_recvfrom net/socket.c:2260 [inline]\n  __se_sys_recvfrom net/socket.c:2256 [inline]\n  __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n  pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n  netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n  netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n  nlmsg_unicast include/net/netlink.h:1144 [inline]\n  nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n  rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n  rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n  tcf_add_notify net/sched/act_api.c:2048 [inline]\n  tcf_action_add net/sched/act_api.c:2071 [inline]\n  tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n  rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n  netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n  netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n  netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n  __sys_sendmsg net/socket.c:2667 [inline]\n  __do_sys_sendmsg net/socket.c:2676 [inline]\n  __se_sys_sendmsg net/socket.c:2674 [inline]\n  __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n  __nla_put lib/nlattr.c:1041 [inline]\n  nla_put+0x1c6/0x230 lib/nlattr.c:1099\n  tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n  tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n  tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n  tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n  tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n  tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n  tcf_add_notify net/sched/act_api.c:2042 [inline]\n  tcf_action_add net/sched/act_api.c:2071 [inline]\n  tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:57:42.594Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14"
        },
        {
          "url": "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366"
        },
        {
          "url": "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924"
        },
        {
          "url": "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c"
        },
        {
          "url": "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd"
        }
      ],
      "title": "net/sched: act_skbmod: prevent kernel-infoleak",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35893",
    "datePublished": "2024-05-19T08:34:48.737Z",
    "dateReserved": "2024-05-17T13:50:33.113Z",
    "dateUpdated": "2024-12-19T08:57:42.594Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35893\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-19T09:15:10.307\",\"lastModified\":\"2024-11-21T09:21:08.660\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_skbmod: prevent kernel-infoleak\\n\\nsyzbot found that tcf_skbmod_dump() was copying four bytes\\nfrom kernel stack to user space [1].\\n\\nThe issue here is that \u0027struct tc_skbmod\u0027 has a four bytes hole.\\n\\nWe need to clear the structure before filling fields.\\n\\n[1]\\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\\n  instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\n  copy_to_user_iter lib/iov_iter.c:24 [inline]\\n  iterate_ubuf include/linux/iov_iter.h:29 [inline]\\n  iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\\n  iterate_and_advance include/linux/iov_iter.h:271 [inline]\\n  _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\\n  copy_to_iter include/linux/uio.h:196 [inline]\\n  simple_copy_to_iter net/core/datagram.c:532 [inline]\\n  __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\\n  skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\\n  skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\\n  netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\\n  sock_recvmsg+0x2c4/0x340 net/socket.c:1068\\n  __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\\n  __do_sys_recvfrom net/socket.c:2260 [inline]\\n  __se_sys_recvfrom net/socket.c:2256 [inline]\\n  __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was stored to memory at:\\n  pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\\n  netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\\n  netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\\n  nlmsg_unicast include/net/netlink.h:1144 [inline]\\n  nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\\n  rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\\n  rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\\n  tcf_add_notify net/sched/act_api.c:2048 [inline]\\n  tcf_action_add net/sched/act_api.c:2071 [inline]\\n  tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\\n  rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\\n  netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\\n  netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\\n  netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\\n  sock_sendmsg_nosec net/socket.c:730 [inline]\\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\\n  ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\\n  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\\n  __sys_sendmsg net/socket.c:2667 [inline]\\n  __do_sys_sendmsg net/socket.c:2676 [inline]\\n  __se_sys_sendmsg net/socket.c:2674 [inline]\\n  __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was stored to memory at:\\n  __nla_put lib/nlattr.c:1041 [inline]\\n  nla_put+0x1c6/0x230 lib/nlattr.c:1099\\n  tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\\n  tcf_action_dump_old net/sched/act_api.c:1191 [inline]\\n  tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\\n  tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\\n  tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\\n  tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\\n  tcf_add_notify net/sched/act_api.c:2042 [inline]\\n  tcf_action_add net/sched/act_api.c:2071 [inline]\\n  tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net/sched: act_skbmod: prevent kernel-infoleak syzbot encontr\u00f3 que tcf_skbmod_dump() estaba copiando cuatro bytes de la pila del kernel al espacio de usuario [1]. El problema aqu\u00ed es que \u0027struct tc_skbmod\u0027 tiene un agujero de cuatro bytes. Necesitamos borrar la estructura antes de completar los campos. [1] ERROR: KMSAN: kernel-infoleak en instrument_copy_to_user include/linux/instrumented.h:114 [en l\u00ednea] ERROR: KMSAN: kernel-infoleak en copy_to_user_iter lib/iov_iter.c:24 [en l\u00ednea] ERROR: KMSAN: kernel-infoleak en iterate_ubuf include/linux/iov_iter.h:29 [en l\u00ednea] ERROR: KMSAN: kernel-infoleak en iterate_and_advance2 include/linux/iov_iter.h:245 [en l\u00ednea] ERROR: KMSAN: kernel-infoleak en iterate_and_advance include/linux/iov_iter. h:271 [en l\u00ednea] ERROR: KMSAN: kernel-infoleak en _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [en l\u00ednea] copy_to_user_iter lib/iov_iter.c:24 [en l\u00ednea] iterate_ubuf include/linux/iov_iter.h:29 [en l\u00ednea] iterate_and_advance2 include/linux/iov_iter.h:245 [en l\u00ednea] iterate_and_advance include/linux/iov_iter.h:271 [en l\u00ednea] _copy_to_iter+0x366/0x2520 lib/iov_iter.c: 185 copy_to_iter include/linux/uio.h:196 [en l\u00ednea] simple_copy_to_iter net/core/datagram.c:532 [en l\u00ednea] __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/ datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:4050 [en l\u00ednea] netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962 sock_recvmsg_nosec net/socket.c:1046 [en l\u00ednea] 0 neto/ socket.c:1068 __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242 __do_sys_recvfrom net/socket.c:2260 [en l\u00ednea] __se_sys_recvfrom net/socket.c:2256 [en l\u00ednea] __x64_sys_recvfrom+0x126/0x1d0 net/ enchufe.c: 2256 do_syscall_64+0xd5/0x1f0 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit se almacen\u00f3 en la memoria en: pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253 netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:13 17 netlink_unicast+0x9f/ 0x1260 net/netlink/af_netlink.c:1351 nlmsg_unicast include/net/netlink.h:1144 [en l\u00ednea] nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610 rtnetlink_send+0x73/0x90 net/core/rtnetlink.c: 741 rtnetlink_maybe_send include/linux/rtnetlink.h:17 [en l\u00ednea] tcf_add_notify net/sched/act_api.c:2048 [en l\u00ednea] tcf_action_add net/sched/act_api.c:2071 [en l\u00ednea] tc_ctl_action+0x146e/0x19d0 net/sched/act_api .c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613 netlink_unicast_kernel net / enlace de red /af_netlink.c:1335 [en l\u00ednea] netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 __sock_sendmsg + 0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 __do_sys_ enviar mensaje de red/socket. c:2676 [en l\u00ednea] __se_sys_sendmsg net/socket.c:2674 [en l\u00ednea] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 do_syscall_64+0xd5/0x1f0 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 se almacen\u00f3 en la memoria en: __nla_put lib/nlattr .c:1041 [en l\u00ednea] nla_put+0x1c6/0x230 lib/nlattr.c:1099 tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256 tcf_action_dump_old net/sched/act_api.c:1191 tcf_action_dump_1+0x85 mi/ 0x970 net/sched/act_api.c:1227 tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251 tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628 tcf_add_notify_msg net/sched/act_api.c:2023 [en l\u00ednea ] tcf_add_notify net/sched/act_api.c: 2042 [inline] tcf_action_add net/sched/act_api.c: 2071 [inline] tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c: 2119 rtnetlink_rcv_msg+0x177/0x1900 rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netli ---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.