ghsa-qf65-4f88-5xjw
Vulnerability from github
Published
2024-08-17 09:30
Modified
2024-08-19 21:35
Details

In the Linux kernel, the following vulnerability has been resolved:

net: nexthop: Initialize all fields in dumped nexthops

struct nexthop_grp contains two reserved fields that are not initialized by nla_put_nh_group(), and carry garbage. This can be observed e.g. with strace (edited for clarity):

# ip nexthop add id 1 dev lo
# ip nexthop add id 101 group 1
# strace -e recvmsg ip nexthop get id 101
...
recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},
             [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52

The fields are reserved and therefore not currently used. But as they are, they leak kernel memory, and the fact they are not just zero complicates repurposing of the fields for new ends. Initialize the full structure.

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2024-42283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-17T09:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nexthop: Initialize all fields in dumped nexthops\n\nstruct nexthop_grp contains two reserved fields that are not initialized by\nnla_put_nh_group(), and carry garbage. This can be observed e.g. with\nstrace (edited for clarity):\n\n    # ip nexthop add id 1 dev lo\n    # ip nexthop add id 101 group 1\n    # strace -e recvmsg ip nexthop get id 101\n    ...\n    recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},\n                 [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52\n\nThe fields are reserved and therefore not currently used. But as they are, they\nleak kernel memory, and the fact they are not just zero complicates repurposing\nof the fields for new ends. Initialize the full structure.",
  "id": "GHSA-qf65-4f88-5xjw",
  "modified": "2024-08-19T21:35:09Z",
  "published": "2024-08-17T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42283"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1377de719652d868f5317ba8398b7e74c5f0430b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5cc4d71dda2dd4f1520f40e634a527022e48ccd8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d745cd0e9720282cd291d36b9db528aea18add2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7704460acd7f5d35eb07c52500987dc9b95313fb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9e8f558a3afe99ce51a642ce0d3637ddc2b5d5d0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a13d3864b76ac87085ec530b2ff8e37482a63a96"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fd06cb4a5fc7bda3dea31712618a62af72a1c6cb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.