cve/published/2024/CVE-2024-50110.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50110: xfrm: fix one more kernel-infoleak in algo dumping

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 xfrm: fix one more kernel-infoleak in algo dumping

 During fuzz testing, the following issue was discovered:

 BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x598/0x2a30
  _copy_to_iter+0x598/0x2a30
  __skb_datagram_iter+0x168/0x1060
  skb_copy_datagram_iter+0x5b/0x220
  netlink_recvmsg+0x362/0x1700
  sock_recvmsg+0x2dc/0x390
  __sys_recvfrom+0x381/0x6d0
  __x64_sys_recvfrom+0x130/0x200
  x64_sys_call+0x32c8/0x3cc0
  do_syscall_64+0xd8/0x1c0
  entry_SYSCALL_64_after_hwframe+0x79/0x81

 Uninit was stored to memory at:
  copy_to_user_state_extra+0xcc1/0x1e00
  dump_one_state+0x28c/0x5f0
  xfrm_state_walk+0x548/0x11e0
  xfrm_dump_sa+0x1e0/0x840
  netlink_dump+0x943/0x1c40
  __netlink_dump_start+0x746/0xdb0
  xfrm_user_rcv_msg+0x429/0xc00
  netlink_rcv_skb+0x613/0x780
  xfrm_netlink_rcv+0x77/0xc0
  netlink_unicast+0xe90/0x1280
  netlink_sendmsg+0x126d/0x1490
  __sock_sendmsg+0x332/0x3d0
  ____sys_sendmsg+0x863/0xc30
  ___sys_sendmsg+0x285/0x3e0
  __x64_sys_sendmsg+0x2d6/0x560
  x64_sys_call+0x1316/0x3cc0
  do_syscall_64+0xd8/0x1c0
  entry_SYSCALL_64_after_hwframe+0x79/0x81

 Uninit was created at:
  __kmalloc+0x571/0xd30
  attach_auth+0x106/0x3e0
  xfrm_add_sa+0x2aa0/0x4230
  xfrm_user_rcv_msg+0x832/0xc00
  netlink_rcv_skb+0x613/0x780
  xfrm_netlink_rcv+0x77/0xc0
  netlink_unicast+0xe90/0x1280
  netlink_sendmsg+0x126d/0x1490
  __sock_sendmsg+0x332/0x3d0
  ____sys_sendmsg+0x863/0xc30
  ___sys_sendmsg+0x285/0x3e0
  __x64_sys_sendmsg+0x2d6/0x560
  x64_sys_call+0x1316/0x3cc0
  do_syscall_64+0xd8/0x1c0
  entry_SYSCALL_64_after_hwframe+0x79/0x81

 Bytes 328-379 of 732 are uninitialized
 Memory access of size 732 starts at ffff88800e18e000
 Data copied to user address 00007ff30f48aff0

 CPU: 2 PID: 18167 Comm: syz-executor.0 Not tainted 6.8.11 #1
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014

 Fixes copying of xfrm algorithms where some random
 data of the structure fields can end up in userspace.
 Padding in structures may be filled with random (possibly sensitve)
 data and should never be given directly to user-space.

 A similar issue was resolved in the commit
 8222d5910dae ("xfrm: Zero padding when dumping algos and encap")

 Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

 The Linux kernel CVE team has assigned CVE-2024-50110 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.11 with commit c7a5899eb26e2a4d516d53f65b6dd67be2228041 and fixed in 5.15.170 with commit 610d4cea9b442b22b4820695fc3335e64849725e
 	Issue introduced in 5.11 with commit c7a5899eb26e2a4d516d53f65b6dd67be2228041 and fixed in 6.1.115 with commit dc2ad8e8818e4bf1a93db78d81745b4877b32972
 	Issue introduced in 5.11 with commit c7a5899eb26e2a4d516d53f65b6dd67be2228041 and fixed in 6.6.59 with commit c73bca72b84b453c8d26a5e7673b20adb294bf54
 	Issue introduced in 5.11 with commit c7a5899eb26e2a4d516d53f65b6dd67be2228041 and fixed in 6.11.6 with commit 1e8fbd2441cb2ea28d6825f2985bf7d84af060bb
 	Issue introduced in 5.11 with commit c7a5899eb26e2a4d516d53f65b6dd67be2228041 and fixed in 6.12 with commit 6889cd2a93e1e3606b3f6e958aa0924e836de4d2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50110
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/xfrm/xfrm_user.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/610d4cea9b442b22b4820695fc3335e64849725e
 	https://git.kernel.org/stable/c/dc2ad8e8818e4bf1a93db78d81745b4877b32972
 	https://git.kernel.org/stable/c/c73bca72b84b453c8d26a5e7673b20adb294bf54
 	https://git.kernel.org/stable/c/1e8fbd2441cb2ea28d6825f2985bf7d84af060bb
 	https://git.kernel.org/stable/c/6889cd2a93e1e3606b3f6e958aa0924e836de4d2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50110: xfrm: fix one more kernel-infoleak in algo dumping

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	xfrm: fix one more kernel-infoleak in algo dumping

	During fuzz testing, the following issue was discovered:

	BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x598/0x2a30
	_copy_to_iter+0x598/0x2a30
	__skb_datagram_iter+0x168/0x1060
	skb_copy_datagram_iter+0x5b/0x220
	netlink_recvmsg+0x362/0x1700
	sock_recvmsg+0x2dc/0x390
	__sys_recvfrom+0x381/0x6d0
	__x64_sys_recvfrom+0x130/0x200
	x64_sys_call+0x32c8/0x3cc0
	do_syscall_64+0xd8/0x1c0
	entry_SYSCALL_64_after_hwframe+0x79/0x81

	Uninit was stored to memory at:
	copy_to_user_state_extra+0xcc1/0x1e00
	dump_one_state+0x28c/0x5f0
	xfrm_state_walk+0x548/0x11e0
	xfrm_dump_sa+0x1e0/0x840
	netlink_dump+0x943/0x1c40
	__netlink_dump_start+0x746/0xdb0
	xfrm_user_rcv_msg+0x429/0xc00
	netlink_rcv_skb+0x613/0x780
	xfrm_netlink_rcv+0x77/0xc0
	netlink_unicast+0xe90/0x1280
	netlink_sendmsg+0x126d/0x1490
	__sock_sendmsg+0x332/0x3d0
	____sys_sendmsg+0x863/0xc30
	___sys_sendmsg+0x285/0x3e0
	__x64_sys_sendmsg+0x2d6/0x560
	x64_sys_call+0x1316/0x3cc0
	do_syscall_64+0xd8/0x1c0
	entry_SYSCALL_64_after_hwframe+0x79/0x81

	Uninit was created at:
	__kmalloc+0x571/0xd30
	attach_auth+0x106/0x3e0
	xfrm_add_sa+0x2aa0/0x4230
	xfrm_user_rcv_msg+0x832/0xc00
	netlink_rcv_skb+0x613/0x780
	xfrm_netlink_rcv+0x77/0xc0
	netlink_unicast+0xe90/0x1280
	netlink_sendmsg+0x126d/0x1490
	__sock_sendmsg+0x332/0x3d0
	____sys_sendmsg+0x863/0xc30
	___sys_sendmsg+0x285/0x3e0
	__x64_sys_sendmsg+0x2d6/0x560
	x64_sys_call+0x1316/0x3cc0
	do_syscall_64+0xd8/0x1c0
	entry_SYSCALL_64_after_hwframe+0x79/0x81

	Bytes 328-379 of 732 are uninitialized
	Memory access of size 732 starts at ffff88800e18e000
	Data copied to user address 00007ff30f48aff0

	CPU: 2 PID: 18167 Comm: syz-executor.0 Not tainted 6.8.11 #1
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014

	Fixes copying of xfrm algorithms where some random
	data of the structure fields can end up in userspace.
	Padding in structures may be filled with random (possibly sensitve)
	data and should never be given directly to user-space.

	A similar issue was resolved in the commit
	8222d5910dae ("xfrm: Zero padding when dumping algos and encap")

	Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

	The Linux kernel CVE team has assigned CVE-2024-50110 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.11 with commit c7a5899eb26e2a4d516d53f65b6dd67be2228041 and fixed in 5.15.170 with commit 610d4cea9b442b22b4820695fc3335e64849725e
	Issue introduced in 5.11 with commit c7a5899eb26e2a4d516d53f65b6dd67be2228041 and fixed in 6.1.115 with commit dc2ad8e8818e4bf1a93db78d81745b4877b32972
	Issue introduced in 5.11 with commit c7a5899eb26e2a4d516d53f65b6dd67be2228041 and fixed in 6.6.59 with commit c73bca72b84b453c8d26a5e7673b20adb294bf54
	Issue introduced in 5.11 with commit c7a5899eb26e2a4d516d53f65b6dd67be2228041 and fixed in 6.11.6 with commit 1e8fbd2441cb2ea28d6825f2985bf7d84af060bb
	Issue introduced in 5.11 with commit c7a5899eb26e2a4d516d53f65b6dd67be2228041 and fixed in 6.12 with commit 6889cd2a93e1e3606b3f6e958aa0924e836de4d2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50110
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/xfrm/xfrm_user.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/610d4cea9b442b22b4820695fc3335e64849725e
	https://git.kernel.org/stable/c/dc2ad8e8818e4bf1a93db78d81745b4877b32972
	https://git.kernel.org/stable/c/c73bca72b84b453c8d26a5e7673b20adb294bf54
	https://git.kernel.org/stable/c/1e8fbd2441cb2ea28d6825f2985bf7d84af060bb
	https://git.kernel.org/stable/c/6889cd2a93e1e3606b3f6e958aa0924e836de4d2