CVE-2024-50110
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-50110
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50110.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-50110
- Related
- Published
- 2024-11-05T18:15:14Z
- Modified
- 2024-11-16T05:49:51.467557Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
xfrm: fix one more kernel-infoleak in algo dumping
During fuzz testing, the following issue was discovered:
BUG: KMSAN: kernel-infoleak in copytoiter+0x598/0x2a30 _copytoiter+0x598/0x2a30 _skbdatagramiter+0x168/0x1060 skbcopydatagramiter+0x5b/0x220 netlinkrecvmsg+0x362/0x1700 sockrecvmsg+0x2dc/0x390 _sysrecvfrom+0x381/0x6d0 _x64sysrecvfrom+0x130/0x200 x64syscall+0x32c8/0x3cc0 dosyscall64+0xd8/0x1c0 entrySYSCALL64afterhwframe+0x79/0x81
Uninit was stored to memory at: copytouserstateextra+0xcc1/0x1e00 dumponestate+0x28c/0x5f0 xfrmstatewalk+0x548/0x11e0 xfrmdumpsa+0x1e0/0x840 netlinkdump+0x943/0x1c40 netlinkdumpstart+0x746/0xdb0 xfrmuserrcvmsg+0x429/0xc00 netlinkrcvskb+0x613/0x780 xfrmnetlinkrcv+0x77/0xc0 netlinkunicast+0xe90/0x1280 netlinksendmsg+0x126d/0x1490 _socksendmsg+0x332/0x3d0 syssendmsg+0x863/0xc30 _syssendmsg+0x285/0x3e0 _x64syssendmsg+0x2d6/0x560 x64syscall+0x1316/0x3cc0 dosyscall64+0xd8/0x1c0 entrySYSCALL64after_hwframe+0x79/0x81
Uninit was created at: kmalloc+0x571/0xd30 attachauth+0x106/0x3e0 xfrmaddsa+0x2aa0/0x4230 xfrmuserrcvmsg+0x832/0xc00 netlinkrcvskb+0x613/0x780 xfrmnetlinkrcv+0x77/0xc0 netlinkunicast+0xe90/0x1280 netlinksendmsg+0x126d/0x1490 _socksendmsg+0x332/0x3d0 syssendmsg+0x863/0xc30 _syssendmsg+0x285/0x3e0 _x64syssendmsg+0x2d6/0x560 x64syscall+0x1316/0x3cc0 dosyscall64+0xd8/0x1c0 entrySYSCALL64after_hwframe+0x79/0x81
Bytes 328-379 of 732 are uninitialized Memory access of size 732 starts at ffff88800e18e000 Data copied to user address 00007ff30f48aff0
CPU: 2 PID: 18167 Comm: syz-executor.0 Not tainted 6.8.11 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Fixes copying of xfrm algorithms where some random data of the structure fields can end up in userspace. Padding in structures may be filled with random (possibly sensitve) data and should never be given directly to user-space.
A similar issue was resolved in the commit 8222d5910dae ("xfrm: Zero padding when dumping algos and encap")
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
- References
-
- https://git.kernel.org/stable/c/1e8fbd2441cb2ea28d6825f2985bf7d84af060bb
- https://git.kernel.org/stable/c/610d4cea9b442b22b4820695fc3335e64849725e
- https://git.kernel.org/stable/c/6889cd2a93e1e3606b3f6e958aa0924e836de4d2
- https://git.kernel.org/stable/c/c73bca72b84b453c8d26a5e7673b20adb294bf54
- https://git.kernel.org/stable/c/dc2ad8e8818e4bf1a93db78d81745b4877b32972
- https://security-tracker.debian.org/tracker/CVE-2024-50110
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.115-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.11.6-1