{ "threat_severity" : "Low", "public_date" : "2024-05-19T00:00:00Z", "bugzilla" : { "description" : "kernel: net/sched: act_skbmod: prevent kernel-infoleak", "id" : "2281682", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2281682" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: act_skbmod: prevent kernel-infoleak\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\nWe need to clear the structure before filling fields.\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\ninstrument_copy_to_user include/linux/instrumented.h:114 [inline]\ncopy_to_user_iter lib/iov_iter.c:24 [inline]\niterate_ubuf include/linux/iov_iter.h:29 [inline]\niterate_and_advance2 include/linux/iov_iter.h:245 [inline]\niterate_and_advance include/linux/iov_iter.h:271 [inline]\n_copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\ncopy_to_iter include/linux/uio.h:196 [inline]\nsimple_copy_to_iter net/core/datagram.c:532 [inline]\n__skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\nskb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\nskb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\nnetlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\nsock_recvmsg_nosec net/socket.c:1046 [inline]\nsock_recvmsg+0x2c4/0x340 net/socket.c:1068\n__sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n__do_sys_recvfrom net/socket.c:2260 [inline]\n__se_sys_recvfrom net/socket.c:2256 [inline]\n__x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\ndo_syscall_64+0xd5/0x1f0\nentry_SYSCALL_64_after_hwframe+0x6d/0x75\nUninit was stored to memory at:\npskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\nnetlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\nnetlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\nnlmsg_unicast include/net/netlink.h:1144 [inline]\nnlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\nrtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\nrtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\ntcf_add_notify net/sched/act_api.c:2048 [inline]\ntcf_action_add net/sched/act_api.c:2071 [inline]\ntc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\nrtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\nnetlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\nrtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\nnetlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\nnetlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\nnetlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0x30f/0x380 net/socket.c:745\n____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\ndo_syscall_64+0xd5/0x1f0\nentry_SYSCALL_64_after_hwframe+0x6d/0x75\nUninit was stored to memory at:\n__nla_put lib/nlattr.c:1041 [inline]\nnla_put+0x1c6/0x230 lib/nlattr.c:1099\ntcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\ntcf_action_dump_old net/sched/act_api.c:1191 [inline]\ntcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\ntcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\ntca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\ntcf_add_notify_msg net/sched/act_api.c:2023 [inline]\ntcf_add_notify net/sched/act_api.c:2042 [inline]\ntcf_action_add net/sched/act_api.c:2071 [inline]\ntc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\nrtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\nnetlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-08-08T00:00:00Z", "advisory" : "RHSA-2024:5102", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-08-08T00:00:00Z", "advisory" : "RHSA-2024:5101", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.16.1.el8_10" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-35893\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35893\nhttps://lore.kernel.org/linux-cve-announce/2024051949-CVE-2024-35893-5132@gregkh/T" ], "name" : "CVE-2024-35893", "csaw" : false }