cve-2024-50033
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: slip: make slhc_remember() more robust against malicious packets syzbot found that slhc_remember() was missing checks against malicious packets [1]. slhc_remember() only checked the size of the packet was at least 20, which is not good enough. We need to make sure the packet includes the IPv4 and TCP header that are supposed to be carried. Add iph and th pointers to make the code more readable. [1] BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455 ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline] ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212 ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327 pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113 __release_sock+0x1da/0x330 net/core/sock.c:3072 release_sock+0x6b/0x250 net/core/sock.c:3626 pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4091 [inline] slab_alloc_node mm/slub.c:4134 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1322 [inline] sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732 pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/29e8d96d44f51cf89a62dd042be35d052833b95cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/36b054324d18e51cf466134e13b6fbe3c91f52afPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5e336384cc9b608e0551f99c3d87316ca3b0e51aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8bb79eb1db85a10865f0d4dd15b013def3f2d246Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ba6501ea06462d6404d57d5644cf2854db38e7d7
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ff5e0f895315706e4ca5a19df15be6866cee4f5dPatch
Impacted products
Vendor Product Version
Linux Linux Version: b5451d783ade99308dfccdf5ca284ed07affa4ff
Version: b5451d783ade99308dfccdf5ca284ed07affa4ff
Version: b5451d783ade99308dfccdf5ca284ed07affa4ff
Version: b5451d783ade99308dfccdf5ca284ed07affa4ff
Version: b5451d783ade99308dfccdf5ca284ed07affa4ff
Version: b5451d783ade99308dfccdf5ca284ed07affa4ff
Version: b5451d783ade99308dfccdf5ca284ed07affa4ff
 Create a notification for this product.
   Linux Linux Version: 3.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-50033",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-10-22T13:25:49.586727Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-10-22T13:28:45.501Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Linux",
               programFiles: [
                  "drivers/net/slip/slhc.c",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     lessThan: "ba6501ea06462d6404d57d5644cf2854db38e7d7",
                     status: "affected",
                     version: "b5451d783ade99308dfccdf5ca284ed07affa4ff",
                     versionType: "git",
                  },
                  {
                     lessThan: "36b054324d18e51cf466134e13b6fbe3c91f52af",
                     status: "affected",
                     version: "b5451d783ade99308dfccdf5ca284ed07affa4ff",
                     versionType: "git",
                  },
                  {
                     lessThan: "5e336384cc9b608e0551f99c3d87316ca3b0e51a",
                     status: "affected",
                     version: "b5451d783ade99308dfccdf5ca284ed07affa4ff",
                     versionType: "git",
                  },
                  {
                     lessThan: "ff5e0f895315706e4ca5a19df15be6866cee4f5d",
                     status: "affected",
                     version: "b5451d783ade99308dfccdf5ca284ed07affa4ff",
                     versionType: "git",
                  },
                  {
                     lessThan: "8bb79eb1db85a10865f0d4dd15b013def3f2d246",
                     status: "affected",
                     version: "b5451d783ade99308dfccdf5ca284ed07affa4ff",
                     versionType: "git",
                  },
                  {
                     lessThan: "29e8d96d44f51cf89a62dd042be35d052833b95c",
                     status: "affected",
                     version: "b5451d783ade99308dfccdf5ca284ed07affa4ff",
                     versionType: "git",
                  },
                  {
                     lessThan: "7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c",
                     status: "affected",
                     version: "b5451d783ade99308dfccdf5ca284ed07affa4ff",
                     versionType: "git",
                  },
               ],
            },
            {
               defaultStatus: "affected",
               product: "Linux",
               programFiles: [
                  "drivers/net/slip/slhc.c",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     status: "affected",
                     version: "3.2",
                  },
                  {
                     lessThan: "3.2",
                     status: "unaffected",
                     version: "0",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "5.4.*",
                     status: "unaffected",
                     version: "5.4.285",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "5.10.*",
                     status: "unaffected",
                     version: "5.10.227",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "5.15.*",
                     status: "unaffected",
                     version: "5.15.168",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.1.*",
                     status: "unaffected",
                     version: "6.1.113",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.6.*",
                     status: "unaffected",
                     version: "6.6.57",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.11.*",
                     status: "unaffected",
                     version: "6.11.4",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "*",
                     status: "unaffected",
                     version: "6.12",
                     versionType: "original_commit_for_fix",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: make slhc_remember() more robust against malicious packets\n\nsyzbot found that slhc_remember() was missing checks against\nmalicious packets [1].\n\nslhc_remember() only checked the size of the packet was at least 20,\nwhich is not good enough.\n\nWe need to make sure the packet includes the IPv4 and TCP header\nthat are supposed to be carried.\n\nAdd iph and th pointers to make the code more readable.\n\n[1]\n\nBUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666\n  slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666\n  ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455\n  ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]\n  ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212\n  ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327\n  pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379\n  sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113\n  __release_sock+0x1da/0x330 net/core/sock.c:3072\n  release_sock+0x6b/0x250 net/core/sock.c:3626\n  pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903\n  sock_sendmsg_nosec net/socket.c:729 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:744\n  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\n  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\n  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\n  __do_sys_sendmmsg net/socket.c:2771 [inline]\n  __se_sys_sendmmsg net/socket.c:2768 [inline]\n  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\n  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:4091 [inline]\n  slab_alloc_node mm/slub.c:4134 [inline]\n  kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587\n  __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678\n  alloc_skb include/linux/skbuff.h:1322 [inline]\n  sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732\n  pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867\n  sock_sendmsg_nosec net/socket.c:729 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:744\n  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\n  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\n  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\n  __do_sys_sendmmsg net/socket.c:2771 [inline]\n  __se_sys_sendmmsg net/socket.c:2768 [inline]\n  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\n  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024",
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-12-19T09:31:46.060Z",
            orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            shortName: "Linux",
         },
         references: [
            {
               url: "https://git.kernel.org/stable/c/ba6501ea06462d6404d57d5644cf2854db38e7d7",
            },
            {
               url: "https://git.kernel.org/stable/c/36b054324d18e51cf466134e13b6fbe3c91f52af",
            },
            {
               url: "https://git.kernel.org/stable/c/5e336384cc9b608e0551f99c3d87316ca3b0e51a",
            },
            {
               url: "https://git.kernel.org/stable/c/ff5e0f895315706e4ca5a19df15be6866cee4f5d",
            },
            {
               url: "https://git.kernel.org/stable/c/8bb79eb1db85a10865f0d4dd15b013def3f2d246",
            },
            {
               url: "https://git.kernel.org/stable/c/29e8d96d44f51cf89a62dd042be35d052833b95c",
            },
            {
               url: "https://git.kernel.org/stable/c/7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c",
            },
         ],
         title: "slip: make slhc_remember() more robust against malicious packets",
         x_generator: {
            engine: "bippy-5f407fcff5a0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      assignerShortName: "Linux",
      cveId: "CVE-2024-50033",
      datePublished: "2024-10-21T19:39:35.127Z",
      dateReserved: "2024-10-21T12:17:06.069Z",
      dateUpdated: "2024-12-19T09:31:46.060Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2024-50033\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-10-21T20:15:16.477\",\"lastModified\":\"2024-11-08T16:15:42.627\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nslip: make slhc_remember() more robust against malicious packets\\n\\nsyzbot found that slhc_remember() was missing checks against\\nmalicious packets [1].\\n\\nslhc_remember() only checked the size of the packet was at least 20,\\nwhich is not good enough.\\n\\nWe need to make sure the packet includes the IPv4 and TCP header\\nthat are supposed to be carried.\\n\\nAdd iph and th pointers to make the code more readable.\\n\\n[1]\\n\\nBUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666\\n  slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666\\n  ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455\\n  ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]\\n  ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212\\n  ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327\\n  pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379\\n  sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113\\n  __release_sock+0x1da/0x330 net/core/sock.c:3072\\n  release_sock+0x6b/0x250 net/core/sock.c:3626\\n  pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903\\n  sock_sendmsg_nosec net/socket.c:729 [inline]\\n  __sock_sendmsg+0x30f/0x380 net/socket.c:744\\n  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\\n  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\\n  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\\n  __do_sys_sendmmsg net/socket.c:2771 [inline]\\n  __se_sys_sendmmsg net/socket.c:2768 [inline]\\n  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\\n  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nUninit was created at:\\n  slab_post_alloc_hook mm/slub.c:4091 [inline]\\n  slab_alloc_node mm/slub.c:4134 [inline]\\n  kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186\\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587\\n  __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678\\n  alloc_skb include/linux/skbuff.h:1322 [inline]\\n  sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732\\n  pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867\\n  sock_sendmsg_nosec net/socket.c:729 [inline]\\n  __sock_sendmsg+0x30f/0x380 net/socket.c:744\\n  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\\n  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\\n  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\\n  __do_sys_sendmmsg net/socket.c:2771 [inline]\\n  __se_sys_sendmmsg net/socket.c:2768 [inline]\\n  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\\n  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nCPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: slip: hacer que slhc_remember() sea más robusto contra paquetes maliciosos syzbot descubrió que slhc_remember() no realizaba comprobaciones contra paquetes maliciosos [1]. slhc_remember() solo comprobaba que el tamaño del paquete fuera al menos 20, lo que no es suficiente. Necesitamos asegurarnos de que el paquete incluya los encabezados IPv4 y TCP que se supone que deben transportarse. Agregue punteros iph y th para que el código sea más legible. [1] ERROR: KMSAN: valor no inicializado en slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455 ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [en línea] ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212 ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327 pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113 __release_sock+0x1da/0x330 net/core/sock.c:3072 release_sock+0x6b/0x250 net/core/sock.c:3626 pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903 sock_sendmsg_nosec net/socket.c:729 [en línea] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [en línea] __se_sys_sendmmsg net/socket.c:2768 [en línea] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [en línea] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit se creó en: slab_post_alloc_hook mm/slub.c:4091 [en línea] slab_alloc_node mm/slub.c:4134 [en línea] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1322 [en línea] sock_wmalloc+0xfe/0x1a0 red/core/sock.c:2732 pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867 sock_sendmsg_nosec red/socket.c:729 [en línea] __sock_sendmsg+0x30f/0x380 red/socket.c:744 ____sys_sendmsg+0x903/0xb60 red/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 red/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 red/socket.c:2742 __do_sys_sendmmsg red/socket.c:2771 [en línea] __se_sys_sendmmsg net/socket.c:2768 [en línea] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [en línea] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 No contaminado 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 13/09/2024\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-908\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.2\",\"versionEndExcluding\":\"5.10.227\",\"matchCriteriaId\":\"6183BF3B-0B09-4239-A6D3-80AFCA3B0CEB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.168\",\"matchCriteriaId\":\"4D51C05D-455B-4D8D-89E7-A58E140B864C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.113\",\"matchCriteriaId\":\"D01BD22E-ACD1-4618-9D01-6116570BE1EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.57\",\"matchCriteriaId\":\"05D83DB8-7465-4F88-AFB2-980011992AC1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.11.4\",\"matchCriteriaId\":\"AA84D336-CE9A-4535-B901-1AD77EC17C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/29e8d96d44f51cf89a62dd042be35d052833b95c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/36b054324d18e51cf466134e13b6fbe3c91f52af\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5e336384cc9b608e0551f99c3d87316ca3b0e51a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8bb79eb1db85a10865f0d4dd15b013def3f2d246\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ba6501ea06462d6404d57d5644cf2854db38e7d7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ff5e0f895315706e4ca5a19df15be6866cee4f5d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-50033\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-22T13:25:49.586727Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-22T13:25:52.898Z\"}}], \"cna\": {\"title\": \"slip: make slhc_remember() more robust against malicious packets\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"b5451d783ade\", \"lessThan\": \"ba6501ea0646\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b5451d783ade\", \"lessThan\": \"36b054324d18\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b5451d783ade\", \"lessThan\": \"5e336384cc9b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b5451d783ade\", \"lessThan\": \"ff5e0f895315\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b5451d783ade\", \"lessThan\": \"8bb79eb1db85\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b5451d783ade\", \"lessThan\": \"29e8d96d44f5\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b5451d783ade\", \"lessThan\": \"7d3fce8cbe3a\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/slip/slhc.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.2\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"3.2\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.4.285\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.227\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.168\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.113\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.57\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11.4\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.11.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12-rc3\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/slip/slhc.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/ba6501ea06462d6404d57d5644cf2854db38e7d7\"}, {\"url\": \"https://git.kernel.org/stable/c/36b054324d18e51cf466134e13b6fbe3c91f52af\"}, {\"url\": \"https://git.kernel.org/stable/c/5e336384cc9b608e0551f99c3d87316ca3b0e51a\"}, {\"url\": \"https://git.kernel.org/stable/c/ff5e0f895315706e4ca5a19df15be6866cee4f5d\"}, {\"url\": \"https://git.kernel.org/stable/c/8bb79eb1db85a10865f0d4dd15b013def3f2d246\"}, {\"url\": \"https://git.kernel.org/stable/c/29e8d96d44f51cf89a62dd042be35d052833b95c\"}, {\"url\": \"https://git.kernel.org/stable/c/7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c\"}], \"x_generator\": {\"engine\": \"bippy-9e1c9544281a\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nslip: make slhc_remember() more robust against malicious packets\\n\\nsyzbot found that slhc_remember() was missing checks against\\nmalicious packets [1].\\n\\nslhc_remember() only checked the size of the packet was at least 20,\\nwhich is not good enough.\\n\\nWe need to make sure the packet includes the IPv4 and TCP header\\nthat are supposed to be carried.\\n\\nAdd iph and th pointers to make the code more readable.\\n\\n[1]\\n\\nBUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666\\n  slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666\\n  ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455\\n  ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]\\n  ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212\\n  ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327\\n  pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379\\n  sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113\\n  __release_sock+0x1da/0x330 net/core/sock.c:3072\\n  release_sock+0x6b/0x250 net/core/sock.c:3626\\n  pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903\\n  sock_sendmsg_nosec net/socket.c:729 [inline]\\n  __sock_sendmsg+0x30f/0x380 net/socket.c:744\\n  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\\n  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\\n  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\\n  __do_sys_sendmmsg net/socket.c:2771 [inline]\\n  __se_sys_sendmmsg net/socket.c:2768 [inline]\\n  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\\n  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nUninit was created at:\\n  slab_post_alloc_hook mm/slub.c:4091 [inline]\\n  slab_alloc_node mm/slub.c:4134 [inline]\\n  kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186\\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587\\n  __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678\\n  alloc_skb include/linux/skbuff.h:1322 [inline]\\n  sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732\\n  pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867\\n  sock_sendmsg_nosec net/socket.c:729 [inline]\\n  __sock_sendmsg+0x30f/0x380 net/socket.c:744\\n  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\\n  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\\n  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\\n  __do_sys_sendmmsg net/socket.c:2771 [inline]\\n  __se_sys_sendmmsg net/socket.c:2768 [inline]\\n  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\\n  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nCPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2024-11-08T15:58:00.276Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-50033\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-08T15:58:00.276Z\", \"dateReserved\": \"2024-10-21T12:17:06.069Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-10-21T19:39:35.127Z\", \"assignerShortName\": \"Linux\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.