CVE-2024-35944
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-35944
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35944.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-35944
- Related
- Published
- 2024-05-19T11:15:50Z
- Modified
- 2024-09-18T03:26:21.028376Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
VMCI: Fix memcpy() run-time warning in dgdispatchas_host()
Syzkaller hit 'WARNING in dgdispatchas_host' bug.
memcpy: detected field-spanning write (size 56) of single field "&dginfo->msg" at drivers/misc/vmwvmci/vmci_datagram.c:237 (size 24)
WARNING: CPU: 0 PID: 1555 at drivers/misc/vmwvmci/vmcidatagram.c:237 dgdispatchashost+0x88e/0xa60 drivers/misc/vmwvmci/vmci_datagram.c:237
Some code commentry, based on my understanding:
544 #define VMCIDGSIZE(dg) (VMCIDGHEADERSIZE + (sizet)(dg)->payloadsize) /// This is 24 + payload_size
memcpy(&dginfo->msg, dg, dgsize); Destination = dginfo->msg ---> this is a 24 byte structure(struct vmcidatagram) Source = dg --> this is a 24 byte structure (struct vmcidatagram) Size = dgsize = 24 + payload_size
{payloadsize = 56-24 =32} -- Syzkaller managed to set payloadsize to 32.
35 struct delayeddatagraminfo { 36 struct datagramentry *entry; 37 struct workstruct work; 38 bool indghostqueue; 39 /* msg and msgpayload must be together. */ 40 struct vmcidatagram msg; 41 u8 msgpayload[]; 42 };
So those extra bytes of payload are copied into msg_payload[], a run time warning is seen while fuzzing with Syzkaller.
One possible way to fix the warning is to split the memcpy() into two parts -- one -- direct assignment of msg and second taking care of payload.
Gustavo quoted: "Under FORTIFY_SOURCE we should not copy data across multiple members in a structure."
- References
-
- https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74
- https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec
- https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f
- https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100
- https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73
- https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051
- https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b
- https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
- https://security-tracker.debian.org/tracker/CVE-2024-35944
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.216-1
Affected versions
5.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.90-1
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.8.9-1