In the Linux kernel, the following vulnerability has been resolved:
netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter syzbot
reported the following uninit-value access issue [1]: netlink_to_full_skb()
creates a new skb
and puts the skb->data
passed as a 1st arg of
netlink_to_full_skb() onto new skb
. The data size is specified as len
and passed to skb_put_data(). This len
is based on skb->end
that is not
data offset but buffer offset. The skb->end
contains data and tailroom.
Since the tailroom is not initialized when the new skb
created, KMSAN
detects uninitialized memory area when copying the data. This patch
resolved this issue by correct the len from skb->end
to skb->len
, which
is the actual data offset. BUG: KMSAN: kernel-infoleak-after-free in
instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG:
KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24
[inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf
include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak-after-free
in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN:
kernel-infoleak-after-free in iterate_and_advance
include/linux/iov_iter.h:271 [inline] BUG: KMSAN:
kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf
include/linux/iov_iter.h:29 [inline] iterate_and_advance2
include/linux/iov_iter.h:245 [inline] iterate_and_advance
include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x364/0x2520
lib/iov_iter.c:186 copy_to_iter include/linux/uio.h:197 [inline]
simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532
__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420
skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546
skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482 sock_recvmsg_nosec
net/socket.c:1044 [inline] sock_recvmsg net/socket.c:1066 [inline]
sock_read_iter+0x467/0x580 net/socket.c:1136 call_read_iter
include/linux/fs.h:2014 [inline] new_sync_read fs/read_write.c:389 [inline]
vfs_read+0x8f6/0xe00 fs/read_write.c:470 ksys_read+0x20f/0x4c0
fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline]
__se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x93/0xd0
fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was stored to memory at:
skb_put_data include/linux/skbuff.h:2622 [inline] netlink_to_full_skb
net/netlink/af_netlink.c:181 [inline] __netlink_deliver_tap_skb
net/netlink/af_netlink.c:298 [inline] __netlink_deliver_tap+0x5be/0xc90
net/netlink/af_netlink.c:325 netlink_deliver_tap
net/netlink/af_netlink.c:338 [inline] netlink_deliver_tap_kernel
net/netlink/af_netlink.c:347 [inline] netlink_unicast_kernel
net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x10f1/0x1250
net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0
net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60
net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676
[inline] __se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64
arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110
arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit
was created at: free_pages_prepare mm/page_alloc.c:1087 [inline]
free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347
free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533
release_pages+0x23d3/0x2410 mm/swap.c:1042
free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316 tlb_batch_pages
—truncated—
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < 4.15.0-225.237 | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < 5.4.0-186.206 | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-112.122 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < 6.5.0-35.35 | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < 4.4.0-254.288 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < 4.15.0-1168.181 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < 5.4.0-1126.136 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1063.69 | UNKNOWN |
git.kernel.org/stable/c/0b27bf4c494d61e5663baa34c3edd7ccebf0ea44
git.kernel.org/stable/c/59fc3e3d049e39e7d0d271f20dd5fb47c57faf1d
git.kernel.org/stable/c/661779e1fcafe1b74b3f3fe8e980c1e207fea1fd
git.kernel.org/stable/c/9ae51361da43270f4ba0eb924427a07e87e48777
git.kernel.org/stable/c/c71ed29d15b1a1ed6c464f8c3536996963046285
git.kernel.org/stable/c/d3ada42e534a83b618bbc1e490d23bf0fdae4736
git.kernel.org/stable/c/ec343a55b687a452f5e87f3b52bf9f155864df65
git.kernel.org/stable/c/f19d1f98e60e68b11fc60839105dd02a30ec0d77
launchpad.net/bugs/cve/CVE-2024-26805
nvd.nist.gov/vuln/detail/CVE-2024-26805
security-tracker.debian.org/tracker/CVE-2024-26805
ubuntu.com/security/notices/USN-6774-1
ubuntu.com/security/notices/USN-6777-1
ubuntu.com/security/notices/USN-6777-2
ubuntu.com/security/notices/USN-6777-3
ubuntu.com/security/notices/USN-6777-4
ubuntu.com/security/notices/USN-6778-1
ubuntu.com/security/notices/USN-6820-1
ubuntu.com/security/notices/USN-6820-2
ubuntu.com/security/notices/USN-6821-1
ubuntu.com/security/notices/USN-6821-2
ubuntu.com/security/notices/USN-6821-3
ubuntu.com/security/notices/USN-6821-4
ubuntu.com/security/notices/USN-6828-1
ubuntu.com/security/notices/USN-6831-1
www.cve.org/CVERecord?id=CVE-2024-26805