cve/published/2024/CVE-2024-42106.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-42106: inet_diag: Initialize pad field in struct inet_diag_req_v2

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 inet_diag: Initialize pad field in struct inet_diag_req_v2

 KMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw
 sockets uses the pad field in struct inet_diag_req_v2 for the
 underlying protocol. This field corresponds to the sdiag_raw_protocol
 field in struct inet_diag_req_raw.

 inet_diag_get_exact_compat() converts inet_diag_req to
 inet_diag_req_v2, but leaves the pad field uninitialized. So the issue
 occurs when raw_lookup() accesses the sdiag_raw_protocol field.

 Fix this by initializing the pad field in
 inet_diag_get_exact_compat(). Also, do the same fix in
 inet_diag_dump_compat() to avoid the similar issue in the future.

 [1]
 BUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]
 BUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
  raw_lookup net/ipv4/raw_diag.c:49 [inline]
  raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
  raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
  inet_diag_cmd_exact+0x7d9/0x980
  inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
  inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
  sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
  netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
  sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
  netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
  netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
  netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0x332/0x3d0 net/socket.c:745
  ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
  ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
  __sys_sendmsg net/socket.c:2668 [inline]
  __do_sys_sendmsg net/socket.c:2677 [inline]
  __se_sys_sendmsg net/socket.c:2675 [inline]
  __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
  x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 Uninit was stored to memory at:
  raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71
  raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
  inet_diag_cmd_exact+0x7d9/0x980
  inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
  inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
  sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
  netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
  sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
  netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
  netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
  netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0x332/0x3d0 net/socket.c:745
  ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
  ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
  __sys_sendmsg net/socket.c:2668 [inline]
  __do_sys_sendmsg net/socket.c:2677 [inline]
  __se_sys_sendmsg net/socket.c:2675 [inline]
  __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
  x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 Local variable req.i created at:
  inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]
  inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426
  sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282

 CPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014

 The Linux kernel CVE team has assigned CVE-2024-42106 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 4.19.318 with commit 7094a5fd20ab66028f1da7f06e0f2692d70346f9
 	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 5.4.280 with commit 0184bf0a349f4cf9e663abbe862ff280e8e4dfa2
 	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 5.10.222 with commit 7ef519c8efde152e0d632337f2994f6921e0b7e4
 	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 5.15.163 with commit 8366720519ea8d322a20780debdfd23d9fc0904a
 	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 6.1.98 with commit d6f487e0704de2f2d15f8dd5d7d723210f2b2fdb
 	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 6.6.39 with commit 76965648fe6858db7c5f3c700fef7aa5f124ca1c
 	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 6.9.9 with commit f9b2010e8af49fac9d9562146fb81744d8a9b051
 	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 6.10 with commit 61cf1c739f08190a4cbf047b9fbb192a94d87e3f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-42106
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/inet_diag.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7094a5fd20ab66028f1da7f06e0f2692d70346f9
 	https://git.kernel.org/stable/c/0184bf0a349f4cf9e663abbe862ff280e8e4dfa2
 	https://git.kernel.org/stable/c/7ef519c8efde152e0d632337f2994f6921e0b7e4
 	https://git.kernel.org/stable/c/8366720519ea8d322a20780debdfd23d9fc0904a
 	https://git.kernel.org/stable/c/d6f487e0704de2f2d15f8dd5d7d723210f2b2fdb
 	https://git.kernel.org/stable/c/76965648fe6858db7c5f3c700fef7aa5f124ca1c
 	https://git.kernel.org/stable/c/f9b2010e8af49fac9d9562146fb81744d8a9b051
 	https://git.kernel.org/stable/c/61cf1c739f08190a4cbf047b9fbb192a94d87e3f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-42106: inet_diag: Initialize pad field in struct inet_diag_req_v2

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	inet_diag: Initialize pad field in struct inet_diag_req_v2

	KMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw
	sockets uses the pad field in struct inet_diag_req_v2 for the
	underlying protocol. This field corresponds to the sdiag_raw_protocol
	field in struct inet_diag_req_raw.

	inet_diag_get_exact_compat() converts inet_diag_req to
	inet_diag_req_v2, but leaves the pad field uninitialized. So the issue
	occurs when raw_lookup() accesses the sdiag_raw_protocol field.

	Fix this by initializing the pad field in
	inet_diag_get_exact_compat(). Also, do the same fix in
	inet_diag_dump_compat() to avoid the similar issue in the future.

	[1]
	BUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]
	BUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
	raw_lookup net/ipv4/raw_diag.c:49 [inline]
	raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
	raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
	inet_diag_cmd_exact+0x7d9/0x980
	inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
	inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
	sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
	netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
	sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
	netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
	netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
	netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x332/0x3d0 net/socket.c:745
	____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
	___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
	__sys_sendmsg net/socket.c:2668 [inline]
	__do_sys_sendmsg net/socket.c:2677 [inline]
	__se_sys_sendmsg net/socket.c:2675 [inline]
	__x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
	x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Uninit was stored to memory at:
	raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71
	raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
	inet_diag_cmd_exact+0x7d9/0x980
	inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
	inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
	sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
	netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
	sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
	netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
	netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
	netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x332/0x3d0 net/socket.c:745
	____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
	___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
	__sys_sendmsg net/socket.c:2668 [inline]
	__do_sys_sendmsg net/socket.c:2677 [inline]
	__se_sys_sendmsg net/socket.c:2675 [inline]
	__x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
	x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Local variable req.i created at:
	inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]
	inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426
	sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282

	CPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014

	The Linux kernel CVE team has assigned CVE-2024-42106 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 4.19.318 with commit 7094a5fd20ab66028f1da7f06e0f2692d70346f9
	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 5.4.280 with commit 0184bf0a349f4cf9e663abbe862ff280e8e4dfa2
	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 5.10.222 with commit 7ef519c8efde152e0d632337f2994f6921e0b7e4
	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 5.15.163 with commit 8366720519ea8d322a20780debdfd23d9fc0904a
	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 6.1.98 with commit d6f487e0704de2f2d15f8dd5d7d723210f2b2fdb
	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 6.6.39 with commit 76965648fe6858db7c5f3c700fef7aa5f124ca1c
	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 6.9.9 with commit f9b2010e8af49fac9d9562146fb81744d8a9b051
	Issue introduced in 4.10 with commit 432490f9d455fb842d70219f22d9d2c812371676 and fixed in 6.10 with commit 61cf1c739f08190a4cbf047b9fbb192a94d87e3f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-42106
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/inet_diag.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7094a5fd20ab66028f1da7f06e0f2692d70346f9
	https://git.kernel.org/stable/c/0184bf0a349f4cf9e663abbe862ff280e8e4dfa2
	https://git.kernel.org/stable/c/7ef519c8efde152e0d632337f2994f6921e0b7e4
	https://git.kernel.org/stable/c/8366720519ea8d322a20780debdfd23d9fc0904a
	https://git.kernel.org/stable/c/d6f487e0704de2f2d15f8dd5d7d723210f2b2fdb
	https://git.kernel.org/stable/c/76965648fe6858db7c5f3c700fef7aa5f124ca1c
	https://git.kernel.org/stable/c/f9b2010e8af49fac9d9562146fb81744d8a9b051
	https://git.kernel.org/stable/c/61cf1c739f08190a4cbf047b9fbb192a94d87e3f