CVE-2024-26805

In the Linux kernel, the following vulnerability has been resolved:
netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter syzbot
reported the following uninit-value access issue [1]: netlink_to_full_skb()
creates a new skb and puts the skb->data passed as a 1st arg of
netlink_to_full_skb() onto new skb. The data size is specified as len
and passed to skb_put_data(). This len is based on skb->end that is not
data offset but buffer offset. The skb->end contains data and tailroom.
Since the tailroom is not initialized when the new skb created, KMSAN
detects uninitialized memory area when copying the data. This patch
resolved this issue by correct the len from skb->end to skb->len, which
is the actual data offset. BUG: KMSAN: kernel-infoleak-after-free in
instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG:
KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24
[inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf
include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak-after-free
in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN:
kernel-infoleak-after-free in iterate_and_advance
include/linux/iov_iter.h:271 [inline] BUG: KMSAN:
kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf
include/linux/iov_iter.h:29 [inline] iterate_and_advance2
include/linux/iov_iter.h:245 [inline] iterate_and_advance
include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x364/0x2520
lib/iov_iter.c:186 copy_to_iter include/linux/uio.h:197 [inline]
simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532
__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420
skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546
skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482 sock_recvmsg_nosec
net/socket.c:1044 [inline] sock_recvmsg net/socket.c:1066 [inline]
sock_read_iter+0x467/0x580 net/socket.c:1136 call_read_iter
include/linux/fs.h:2014 [inline] new_sync_read fs/read_write.c:389 [inline]
vfs_read+0x8f6/0xe00 fs/read_write.c:470 ksys_read+0x20f/0x4c0
fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline]
__se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x93/0xd0
fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was stored to memory at:
skb_put_data include/linux/skbuff.h:2622 [inline] netlink_to_full_skb
net/netlink/af_netlink.c:181 [inline] __netlink_deliver_tap_skb
net/netlink/af_netlink.c:298 [inline] __netlink_deliver_tap+0x5be/0xc90
net/netlink/af_netlink.c:325 netlink_deliver_tap
net/netlink/af_netlink.c:338 [inline] netlink_deliver_tap_kernel
net/netlink/af_netlink.c:347 [inline] netlink_unicast_kernel
net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x10f1/0x1250
net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0
net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60
net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676
[inline] __se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64
arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110
arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit
was created at: free_pages_prepare mm/page_alloc.c:1087 [inline]
free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347
free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533
release_pages+0x23d3/0x2410 mm/swap.c:1042
free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316 tlb_batch_pages
—truncated—