Release Date: | 2024-07-30 |
In the Linux kernel, the following vulnerability has been resolved:\ninet_diag: Initialize pad field in struct inet_diag_req_v2\nKMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw\nsockets uses the pad field in struct inet_diag_req_v2 for the\nunderlying protocol. This field corresponds to the sdiag_raw_protocol\nfield in struct inet_diag_req_raw.\ninet_diag_get_exact_compat() converts inet_diag_req to\ninet_diag_req_v2, but leaves the pad field uninitialized. So the issue\noccurs when raw_lookup() accesses the sdiag_raw_protocol field.\nFix this by initializing the pad field in\ninet_diag_get_exact_compat(). Also, do the same fix in\ninet_diag_dump_compat() to avoid the similar issue in the future.\n[1]\nBUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]\nBUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\nraw_lookup net/ipv4/raw_diag.c:49 [inline]\nraw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\nraw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\ninet_diag_cmd_exact+0x7d9/0x980\ninet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\ninet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\nsock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\nnetlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\nsock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\nnetlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\nnetlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\nnetlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0x332/0x3d0 net/socket.c:745\n____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n__sys_sendmsg net/socket.c:2668 [inline]\n__do_sys_sendmsg net/socket.c:2677 [inline]\n__se_sys_sendmsg net/socket.c:2675 [inline]\n__x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\nx64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nUninit was stored to memory at:\nraw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71\nraw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\ninet_diag_cmd_exact+0x7d9/0x980\ninet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\ninet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\nsock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\nnetlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\nsock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\nnetlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\nnetlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\nnetlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0x332/0x3d0 net/socket.c:745\n____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n__sys_sendmsg net/socket.c:2668 [inline]\n__do_sys_sendmsg net/socket.c:2677 [inline]\n__se_sys_sendmsg net/socket.c:2675 [inline]\n__x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\nx64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nLocal variable req.i created at:\ninet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]\ninet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426\nsock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\nCPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
See more information about CVE-2024-42106 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
Base Score: | 4.4 | CVSS Vector: | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
Attack Vector: | Local network | Attack Complexity: | Low |
Privileges Required: | High | User Interaction: | None |
Scope: | Unchanged | Confidentiality Impact: | None |
Integrity Impact: | None | Availability Impact: | High |
Platform | Errata | Release Date |
Oracle Linux version 7 (kernel-uek) | ELSA-2024-12610 | 2024-09-10 |
Oracle Linux version 7 (kernel-uek) | ELSA-2024-12779 | 2024-10-11 |
Oracle Linux version 7 (kernel-uek-container) | ELSA-2024-12612 | 2024-09-11 |
Oracle Linux version 8 (kernel-uek) | ELSA-2024-12610 | 2024-09-10 |
Oracle Linux version 8 (kernel-uek) | ELSA-2024-12618 | 2024-09-12 |
Oracle Linux version 8 (kernel-uek-container) | ELSA-2024-12612 | 2024-09-11 |
Oracle Linux version 9 (kernel-uek) | ELSA-2024-12618 | 2024-09-12 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections: