fkie_cve-2024-56643
Vulnerability from fkie_nvd
Published
2024-12-27 15:15
Modified
2025-01-06 17:14
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: dccp: Fix memory leak in dccp_feat_change_recv If dccp_feat_push_confirm() fails after new value for SP feature was accepted without reconciliation ('entry == NULL' branch), memory allocated for that value with dccp_feat_clone_sp_val() is never freed. Here is the kmemleak stack for this: unreferenced object 0xffff88801d4ab488 (size 8): comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s) hex dump (first 8 bytes): 01 b4 4a 1d 80 88 ff ff ..J..... backtrace: [<00000000db7cabfe>] kmemdup+0x23/0x50 mm/util.c:128 [<0000000019b38405>] kmemdup include/linux/string.h:465 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline] [<0000000019b38405>] dccp_feat_change_recv net/dccp/feat.c:1145 [inline] [<0000000019b38405>] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416 [<00000000b1f6d94a>] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125 [<0000000030d7b621>] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650 [<000000001f74c72e>] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688 [<00000000a6c24128>] sk_backlog_rcv include/net/sock.h:1041 [inline] [<00000000a6c24128>] __release_sock+0x139/0x3b0 net/core/sock.c:2570 [<00000000cf1f3a53>] release_sock+0x54/0x1b0 net/core/sock.c:3111 [<000000008422fa23>] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline] [<000000008422fa23>] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696 [<0000000015b6f64d>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735 [<0000000010122488>] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865 [<00000000b4b70023>] __sys_connect+0x165/0x1a0 net/socket.c:1882 [<00000000f4cb3815>] __do_sys_connect net/socket.c:1892 [inline] [<00000000f4cb3815>] __se_sys_connect net/socket.c:1889 [inline] [<00000000f4cb3815>] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889 [<00000000e7b1e839>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 [<0000000055e91434>] entry_SYSCALL_64_after_hwframe+0x67/0xd1 Clean up the allocated memory in case of dccp_feat_push_confirm() failure and bail out with an error reset code. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/22be4727a8f898442066bcac34f8a1ad0bc72e14Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/623be080ab3c13d71570bd32f7202a8efa8e2252Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6ff67909ee2ffad911e3122616df41dee23ff4f6Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9ee68b0f23706a77f53c832457b9384178b76421Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bc3d4423def1a9412a0ae454cb4477089ab79276Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c99507fff94b926fc92279c92d80f229c91cb85dPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d3ec686a369fae5034303061f003cd3f94ddfd23Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.13


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1298C84F-E296-4E2D-8B96-829D4E94588D",
              "versionEndExcluding": "5.4.287",
              "versionStartIncluding": "2.6.29",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B5C644CC-2BD7-4E32-BC54-8DCC7ABE9935",
              "versionEndExcluding": "5.10.231",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "419FD073-1517-4FD5-8158-F94BC68A1E89",
              "versionEndExcluding": "5.15.174",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "09AC6122-E2A4-40FE-9D33-268A1B2EC265",
              "versionEndExcluding": "6.1.120",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "29A976AD-B9AB-4A95-9F08-7669F8847EB9",
              "versionEndExcluding": "6.6.66",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9501D045-7A94-42CA-8B03-821BE94A65B7",
              "versionEndExcluding": "6.12.5",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp: Fix memory leak in dccp_feat_change_recv\n\nIf dccp_feat_push_confirm() fails after new value for SP feature was accepted\nwithout reconciliation (\u0027entry == NULL\u0027 branch), memory allocated for that value\nwith dccp_feat_clone_sp_val() is never freed.\n\nHere is the kmemleak stack for this:\n\nunreferenced object 0xffff88801d4ab488 (size 8):\n  comm \"syz-executor310\", pid 1127, jiffies 4295085598 (age 41.666s)\n  hex dump (first 8 bytes):\n    01 b4 4a 1d 80 88 ff ff                          ..J.....\n  backtrace:\n    [\u003c00000000db7cabfe\u003e] kmemdup+0x23/0x50 mm/util.c:128\n    [\u003c0000000019b38405\u003e] kmemdup include/linux/string.h:465 [inline]\n    [\u003c0000000019b38405\u003e] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline]\n    [\u003c0000000019b38405\u003e] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline]\n    [\u003c0000000019b38405\u003e] dccp_feat_change_recv net/dccp/feat.c:1145 [inline]\n    [\u003c0000000019b38405\u003e] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416\n    [\u003c00000000b1f6d94a\u003e] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125\n    [\u003c0000000030d7b621\u003e] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650\n    [\u003c000000001f74c72e\u003e] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688\n    [\u003c00000000a6c24128\u003e] sk_backlog_rcv include/net/sock.h:1041 [inline]\n    [\u003c00000000a6c24128\u003e] __release_sock+0x139/0x3b0 net/core/sock.c:2570\n    [\u003c00000000cf1f3a53\u003e] release_sock+0x54/0x1b0 net/core/sock.c:3111\n    [\u003c000000008422fa23\u003e] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline]\n    [\u003c000000008422fa23\u003e] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696\n    [\u003c0000000015b6f64d\u003e] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735\n    [\u003c0000000010122488\u003e] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865\n    [\u003c00000000b4b70023\u003e] __sys_connect+0x165/0x1a0 net/socket.c:1882\n    [\u003c00000000f4cb3815\u003e] __do_sys_connect net/socket.c:1892 [inline]\n    [\u003c00000000f4cb3815\u003e] __se_sys_connect net/socket.c:1889 [inline]\n    [\u003c00000000f4cb3815\u003e] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889\n    [\u003c00000000e7b1e839\u003e] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n    [\u003c0000000055e91434\u003e] entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nClean up the allocated memory in case of dccp_feat_push_confirm() failure\nand bail out with an error reset code.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dccp: Se corrige la p\u00e9rdida de memoria en dccp_feat_change_recv Si dccp_feat_push_confirm() falla despu\u00e9s de que se acept\u00f3 un nuevo valor para la caracter\u00edstica SP sin conciliaci\u00f3n (rama \u0027entry == NULL\u0027), la memoria asignada para ese valor con dccp_feat_clone_sp_val() nunca se libera. Aqu\u00ed est\u00e1 la pila kmemleak para esto: objeto sin referencia 0xffff88801d4ab488 (tama\u00f1o 8): comm \"syz-executor310\", pid 1127, jiffies 4295085598 (edad 41.666s) volcado hexadecimal (primeros 8 bytes): 01 b4 4a 1d 80 88 ff ff ..J..... backtrace: [\u0026lt;00000000db7cabfe\u0026gt;] kmemdup+0x23/0x50 mm/util.c:128 [\u0026lt;0000000019b38405\u0026gt;] kmemdup include/linux/string.h:465 [en l\u00ednea] [\u0026lt;0000000019b38405\u0026gt;] dccp_feat_clone_sp_val net/dccp/feat.c:371 [en l\u00ednea] [\u0026lt;0000000019b38405\u0026gt;] dccp_feat_clone_sp_val net/dccp/feat.c:367 [en l\u00ednea] [\u0026lt;0000000019b38405\u0026gt;] dccp_feat_change_recv net/dccp/feat.c:1145 [en l\u00ednea] [\u0026lt;0000000019b38405\u0026gt;] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416 [\u0026lt;00000000b1f6d94a\u0026gt;] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125 [\u0026lt;0000000030d7b621\u0026gt;] dccp_rcv_state_process+0x197/0x13d0 red/dccp/input.c:650 [\u0026lt;000000001f74c72e\u0026gt;] dccp_v4_do_rcv+0xf9/0x1a0 red/dccp/ipv4.c:688 [\u0026lt;00000000a6c24128\u0026gt;] sk_backlog_rcv incluir/net/sock.h:1041 [en l\u00ednea] [\u0026lt;00000000a6c24128\u0026gt;] __release_sock+0x139/0x3b0 red/core/sock.c:2570 [\u0026lt;00000000cf1f3a53\u0026gt;] release_sock+0x54/0x1b0 net/core/sock.c:3111 [\u0026lt;000000008422fa23\u0026gt;] espera_de_conexi\u00f3n inet net/ipv4/af_inet.c:603 [en l\u00ednea] [\u0026lt;000000008422fa23\u0026gt;] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696 [\u0026lt;0000000015b6f64d\u0026gt;] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735 [\u0026lt;0000000010122488\u0026gt;] archivo_de_conexi\u00f3n_sys+0x15c/0x1a0 net/socket.c:1865 [\u0026lt;00000000b4b70023\u0026gt;] __sys_connect+0x165/0x1a0 red/socket.c:1882 [\u0026lt;00000000f4cb3815\u0026gt;] __do_sys_connect red/socket.c:1892 [en l\u00ednea] [\u0026lt;00000000f4cb3815\u0026gt;] __se_sys_connect red/socket.c:1889 [en l\u00ednea] [\u0026lt;00000000f4cb3815\u0026gt;] __x64_sys_connect+0x6e/0xb0 red/socket.c:1889 [\u0026lt;00000000e7b1e839\u0026gt;] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 [\u0026lt;0000000055e91434\u0026gt;] entry_SYSCALL_64_after_hwframe+0x67/0xd1 Limpia la memoria asignada en caso de que dccp_feat_push_confirm() falle y se resuelve con un c\u00f3digo de reinicio de error. Encontrado por Linux Verification Center (linuxtesting.org) con Syzkaller."
    }
  ],
  "id": "CVE-2024-56643",
  "lastModified": "2025-01-06T17:14:41.813",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-12-27T15:15:24.040",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/22be4727a8f898442066bcac34f8a1ad0bc72e14"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/623be080ab3c13d71570bd32f7202a8efa8e2252"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6ff67909ee2ffad911e3122616df41dee23ff4f6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9ee68b0f23706a77f53c832457b9384178b76421"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/bc3d4423def1a9412a0ae454cb4477089ab79276"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/c99507fff94b926fc92279c92d80f229c91cb85d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d3ec686a369fae5034303061f003cd3f94ddfd23"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-401"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.