Release Date: | 2024-06-19 |
In the Linux kernel, the following vulnerability has been resolved:\nnet: bridge: xmit: make sure we have at least eth header len bytes\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\nwe can actually pull that amount instead of assuming.\nTested with dropwatch:\ndrop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\norigin: software\ntimestamp: Mon May 13 11:31:53 2024 778214037 nsec\nprotocol: 0x88a8\nlength: 2\noriginal length: 2\ndrop reason: PKT_TOO_SMALL\n[1]\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\nbr_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n__netdev_start_xmit include/linux/netdevice.h:4903 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4917 [inline]\nxmit_one net/core/dev.c:3531 [inline]\ndev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n__dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\ndev_queue_xmit include/linux/netdevice.h:3091 [inline]\n__bpf_tx_skb net/core/filter.c:2136 [inline]\n__bpf_redirect_common net/core/filter.c:2180 [inline]\n__bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\n____bpf_clone_redirect net/core/filter.c:2460 [inline]\nbpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\n___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n__bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\nbpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\n__bpf_prog_run include/linux/filter.h:657 [inline]\nbpf_prog_run include/linux/filter.h:664 [inline]\nbpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\nbpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\nbpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\n__sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\n__do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\n__se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\n__x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\nx64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f
See more information about CVE-2024-38538 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
Base Score: | 5.5 | CVSS Vector: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Attack Vector: | Local network | Attack Complexity: | Low |
Privileges Required: | Low | User Interaction: | None |
Scope: | Unchanged | Confidentiality Impact: | None |
Integrity Impact: | None | Availability Impact: | High |
Platform | Errata | Release Date |
Oracle Linux version 8 (kernel) | ELSA-2024-5101 | 2024-08-08 |
Oracle Linux version 9 (kernel) | ELSA-2024-5928 | 2024-08-28 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections: