Release Date: | 2024-07-29 |
In the Linux kernel, the following vulnerability has been resolved:\nnet: can: j1939: Initialize unused data in j1939_send_one()\nsyzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()\ncreates full frame including unused data, but it doesn't initialize\nit. This causes the kernel-infoleak issue. Fix this by initializing\nunused data.\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\ninstrument_copy_to_user include/linux/instrumented.h:114 [inline]\ncopy_to_user_iter lib/iov_iter.c:24 [inline]\niterate_ubuf include/linux/iov_iter.h:29 [inline]\niterate_and_advance2 include/linux/iov_iter.h:245 [inline]\niterate_and_advance include/linux/iov_iter.h:271 [inline]\n_copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\ncopy_to_iter include/linux/uio.h:196 [inline]\nmemcpy_to_msg include/linux/skbuff.h:4113 [inline]\nraw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008\nsock_recvmsg_nosec net/socket.c:1046 [inline]\nsock_recvmsg+0x2c4/0x340 net/socket.c:1068\n____sys_recvmsg+0x18a/0x620 net/socket.c:2803\n___sys_recvmsg+0x223/0x840 net/socket.c:2845\ndo_recvmmsg+0x4fc/0xfd0 net/socket.c:2939\n__sys_recvmmsg net/socket.c:3018 [inline]\n__do_sys_recvmmsg net/socket.c:3041 [inline]\n__se_sys_recvmmsg net/socket.c:3034 [inline]\n__x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034\nx64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nUninit was created at:\nslab_post_alloc_hook mm/slub.c:3804 [inline]\nslab_alloc_node mm/slub.c:3845 [inline]\nkmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\nkmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n__alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\nalloc_skb include/linux/skbuff.h:1313 [inline]\nalloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\nsock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\nsock_alloc_send_skb include/net/sock.h:1842 [inline]\nj1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]\nj1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]\nj1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0x30f/0x380 net/socket.c:745\n____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\nx64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nBytes 12-15 of 16 are uninitialized\nMemory access of size 16 starts at ffff888120969690\nData copied to user address 00000000200017c0\nCPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
See more information about CVE-2024-42076 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
Base Score: | 5.5 | CVSS Vector: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Attack Vector: | Local network | Attack Complexity: | Low |
Privileges Required: | Low | User Interaction: | None |
Scope: | Unchanged | Confidentiality Impact: | None |
Integrity Impact: | None | Availability Impact: | High |
Platform | Errata | Release Date |
Oracle Linux version 7 (kernel-uek) | ELSA-2024-12610 | 2024-09-10 |
Oracle Linux version 7 (kernel-uek-container) | ELSA-2024-12612 | 2024-09-11 |
Oracle Linux version 8 (kernel-uek) | ELSA-2024-12610 | 2024-09-10 |
Oracle Linux version 8 (kernel-uek) | ELSA-2024-12618 | 2024-09-12 |
Oracle Linux version 8 (kernel-uek-container) | ELSA-2024-12612 | 2024-09-11 |
Oracle Linux version 9 (kernel-uek) | ELSA-2024-12618 | 2024-09-12 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections: