CVE-2024-35827
io_uring/net: fix overflow check in io_recvmsg_mshot_prep()
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
io_uring/net: fix overflow check in io_recvmsg_mshot_prep()
The "controllen" variable is type size_t (unsigned long). Casting it
to int could lead to an integer underflow.
The check_add_overflow() function considers the type of the destination
which is type int. If we add two positive values and the result cannot
fit in an integer then that's counted as an overflow.
However, if we cast "controllen" to an int and it turns negative, then
negative values *can* fit into an int type so there is no overflow.
Good: 100 + (unsigned long)-4 = 96 <-- overflow
Bad: 100 + (int)-4 = 96 <-- no overflow
I deleted the cast of the sizeof() as well. That's not a bug but the
cast is unnecessary.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring/net: corregida la comprobación de desbordamiento en io_recvmsg_mshot_prep() La variable "controllen" es de tipo size_t (largo sin firmar). Convertirlo a int podría provocar un desbordamiento de números enteros. La función check_add_overflow() considera el tipo de destino que es de tipo int. Si sumamos dos valores positivos y el resultado no cabe en un número entero, entonces se cuenta como un desbordamiento. Sin embargo, si convertimos "controllen" en un int y se vuelve negativo, entonces los valores negativos *pueden* caber en un tipo int para que no haya desbordamiento. Bueno: 100 + (unsigned long)-4 = 96 <-- overflow Malo: 100 + (int)-4 = 96 <-- no overflow También eliminé el cast de sizeof(). Eso no es un error, pero el cast es innecesario.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-17 CVE Reserved
- 2024-05-17 CVE Published
- 2024-05-18 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/9b0fc3c054ff2eb13753104884f1045b5bb3a627 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.0 < 6.1.83 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.1.83" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.0 < 6.6.23 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.6.23" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.0 < 6.7.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.7.11" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.0 < 6.8.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.8.2" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.0 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.9" | en |
Affected
| ||||||