// For flags

CVE-2024-26805

netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter

syzbot reported the following uninit-value access issue [1]:

netlink_to_full_skb() creates a new `skb` and puts the `skb->data`
passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data
size is specified as `len` and passed to skb_put_data(). This `len`
is based on `skb->end` that is not data offset but buffer offset. The
`skb->end` contains data and tailroom. Since the tailroom is not
initialized when the new `skb` created, KMSAN detects uninitialized
memory area when copying the data.

This patch resolved this issue by correct the len from `skb->end` to
`skb->len`, which is the actual data offset.

BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]
BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]
BUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline]
iterate_ubuf include/linux/iov_iter.h:29 [inline]
iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
iterate_and_advance include/linux/iov_iter.h:271 [inline]
_copy_to_iter+0x364/0x2520 lib/iov_iter.c:186
copy_to_iter include/linux/uio.h:197 [inline]
simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532
__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420
skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546
skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482
sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg net/socket.c:1066 [inline]
sock_read_iter+0x467/0x580 net/socket.c:1136
call_read_iter include/linux/fs.h:2014 [inline]
new_sync_read fs/read_write.c:389 [inline]
vfs_read+0x8f6/0xe00 fs/read_write.c:470
ksys_read+0x20f/0x4c0 fs/read_write.c:613
__do_sys_read fs/read_write.c:623 [inline]
__se_sys_read fs/read_write.c:621 [inline]
__x64_sys_read+0x93/0xd0 fs/read_write.c:621
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was stored to memory at:
skb_put_data include/linux/skbuff.h:2622 [inline]
netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]
__netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]
__netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325
netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]
netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
free_pages_prepare mm/page_alloc.c:1087 [inline]
free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347
free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533
release_pages+0x23d3/0x2410 mm/swap.c:1042
free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316
tlb_batch_pages
---truncated---

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netlink: Fix kernel-infoleak-after-free en __skb_datagram_iter syzbot informó el siguiente problema de acceso al valor uninit [1]: netlink_to_full_skb() crea un nuevo `skb` y coloca el ` skb->data` pasó como primer argumento de netlink_to_full_skb() al nuevo `skb`. El tamaño de los datos se especifica como `len` y se pasa a skb_put_data(). Este `len` se basa en `skb->end` que no es un desplazamiento de datos sino un desplazamiento del búfer. El `skb->end` contiene datos y espacio de adaptación. Dado que el tailroom no se inicializa cuando se crea el nuevo `skb`, KMSAN detecta un área de memoria no inicializada al copiar los datos. Este parche resolvió este problema corrigiendo la longitud de `skb->end` a `skb->len`, que es el desplazamiento de datos real. ERROR: KMSAN: kernel-infoleak-after-free en instrument_copy_to_user include/linux/instrumented.h:114 [en línea] ERROR: KMSAN: kernel-infoleak-after-free en copy_to_user_iter lib/iov_iter.c:24 [en línea] ERROR: KMSAN: kernel-infoleak-after-free en iterate_ubuf include/linux/iov_iter.h:29 [en línea] ERROR: KMSAN: kernel-infoleak-after-free en iterate_and_advance2 include/linux/iov_iter.h:245 [en línea] ERROR: KMSAN: kernel-infoleak-after-free en iterate_and_advance include/linux/iov_iter.h:271 [en línea] ERROR: KMSAN: kernel-infoleak-after-free en _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 instrument_copy_to_user include/ linux/instrumented.h:114 [en línea] copy_to_user_iter lib/iov_iter.c:24 [en línea] iterate_ubuf include/linux/iov_iter.h:29 [en línea] iterate_and_advance2 include/linux/iov_iter.h:245 [en línea] iterate_and_advance include/ linux/iov_iter.h:271 [en línea] _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 copy_to_iter include/linux/uio.h:197 [en línea] simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532 __skb_datagram_iter +0x123/0xdc0 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:3960 [en línea] paquete_recvmsg+0xd9c/0x2000 net/packet/af_packet .c:3482 sock_recvmsg_nosec net/socket.c:1044 [en línea] sock_recvmsg net/socket.c:1066 [en línea] sock_read_iter+0x467/0x580 net/socket.c:1136 call_read_iter include/linux/fs.h:2014 [en línea ] new_sync_read fs/read_write.c:389 [en línea] vfs_read+0x8f6/0xe00 fs/read_write.c:470 ksys_read+0x20f/0x4c0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [en línea] __se_sys_read fs/ read_write.c:621 [en línea] __x64_sys_read+0x93/0xd0 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:52 [en línea] do_syscall_64+0x44/0x110 arch/x86/entry/common.c: 83 Entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit se almacenó en la memoria en: skb_put_data include/linux/skbuff.h:2622 [en línea] netlink_to_full_skb net/netlink/af_netlink.c:181 [en línea] __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [ en línea] __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325 netlink_deliver_tap net/netlink/af_netlink.c:338 [en línea] netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [en línea] netlink_unicast_kernel net/netlink/af_netlink.c :1341 [en línea] netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [en línea] __sock_sendmsg net/socket.c :745 [en línea] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [en línea] __do_sys_sendmsg net/socket.c:267 6 [en línea ] __se_sys_sendmsg net/socket.c:2674 [en línea] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [en línea] do_syscall_64+0x44/0x110 arch/x86/ entrada/ common.c:83 Entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit se creó en: free_pages_prepare mm/page_alloc.c:1087 [en línea] free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347 ---truncado---

*Credits: N/A
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-02-19 CVE Reserved
  • 2024-04-04 CVE Published
  • 2024-04-05 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.3 < 4.19.309
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 4.19.309"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.3 < 5.4.271
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 5.4.271"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.3 < 5.10.212
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 5.10.212"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.3 < 5.15.151
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 5.15.151"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.3 < 6.1.81
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 6.1.81"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.3 < 6.6.21
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 6.6.21"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.3 < 6.7.9
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 6.7.9"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.3 < 6.8
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 6.8"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
3.12.49
Search vendor "Linux" for product "Linux Kernel" and version "3.12.49"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
3.14.54
Search vendor "Linux" for product "Linux Kernel" and version "3.14.54"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
3.18.23
Search vendor "Linux" for product "Linux Kernel" and version "3.18.23"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
4.1.10
Search vendor "Linux" for product "Linux Kernel" and version "4.1.10"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
4.2.3
Search vendor "Linux" for product "Linux Kernel" and version "4.2.3"
en
Affected