In the Linux kernel, the following vulnerability has been resolved: hsr:
Fix uninit-value access in hsr_get_node() KMSAN reported the following
uninit-value access issue [1]:
===================================================== BUG: KMSAN:
uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246
hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 fill_frame_info
net/hsr/hsr_forward.c:577 [inline] hsr_forward_skb+0xe12/0x30e0
net/hsr/hsr_forward.c:615 hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223
__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one
net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10
net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
dev_queue_xmit include/linux/netdevice.h:3134 [inline]
packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd
net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x8b1d/0x9f30
net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10
net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0
net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at:
slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node
mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740
net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline]
alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334
sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 packet_alloc_skb
net/packet/af_packet.c:2936 [inline] packet_snd net/packet/af_packet.c:3030
[inline] packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119
sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg
net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto
net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140
arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 1
PID: 5033 Comm: syz-executor334 Not tainted
6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute
Engine/Google Compute Engine, BIOS Google 11/17/2023
===================================================== If the packet type ID
field in the Ethernet header is either ETH_P_PRP or ETH_P_HSR, but it is
not followed by an HSR tag, hsr_get_skb_sequence_nr() reads an invalid
value as a sequence number. This causes the above issue. This patch fixes
the issue by returning NULL if the Ethernet header is not followed by an
HSR tag.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-112.122 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < 6.8.0-35.35 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1063.69 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < 6.8.0-1009.9 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1063.69~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
git.kernel.org/linus/ddbec99f58571301679addbc022256970ca3eac6 (6.9-rc1)
git.kernel.org/stable/c/09e5cdbe2cc88c3c758927644a3eb02fac317209
git.kernel.org/stable/c/1ed222ca7396938eb1ab2d034f1ba0d8b00a7122
git.kernel.org/stable/c/39cc316fb3bc5e7c9dc5eed314fe510d119c6862
git.kernel.org/stable/c/7fb2d4d6bb1c85f7a23aace0ed6c86a95dea792a
git.kernel.org/stable/c/889ed056eae7fda85b769a9ab33c093379c45428
git.kernel.org/stable/c/97d2148ea435dff4b4e71817c9032eb321bcd37e
git.kernel.org/stable/c/a809bbfd0e503351d3051317288a70a4569a4949
git.kernel.org/stable/c/ddbec99f58571301679addbc022256970ca3eac6
git.kernel.org/stable/c/e3b2bfb8ff1810a537b2aa55ba906a6743ed120c
launchpad.net/bugs/cve/CVE-2024-26863
nvd.nist.gov/vuln/detail/CVE-2024-26863
security-tracker.debian.org/tracker/CVE-2024-26863
ubuntu.com/security/notices/USN-6816-1
ubuntu.com/security/notices/USN-6817-1
ubuntu.com/security/notices/USN-6817-2
ubuntu.com/security/notices/USN-6817-3
ubuntu.com/security/notices/USN-6820-1
ubuntu.com/security/notices/USN-6820-2
ubuntu.com/security/notices/USN-6821-1
ubuntu.com/security/notices/USN-6821-2
ubuntu.com/security/notices/USN-6821-3
ubuntu.com/security/notices/USN-6821-4
ubuntu.com/security/notices/USN-6828-1
www.cve.org/CVERecord?id=CVE-2024-26863