{
  "threat_severity" : "Moderate",
  "public_date" : "2024-05-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: netfilter: validate user input for expected length",
    "id" : "2281675",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2281675"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: validate user input for expected length\nI got multiple syzbot reports showing old bugs exposed\nby BPF after commit 20f2505fb436 (\"bpf: Try to avoid kzalloc\nin cgroup/{s,g}etsockopt\")\nsetsockopt() @optlen argument should be taken into account\nbefore copying data.\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\nBUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\nprint_address_description mm/kasan/report.c:377 [inline]\nprint_report+0x169/0x550 mm/kasan/report.c:488\nkasan_report+0x143/0x180 mm/kasan/report.c:601\nkasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n__asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\ncopy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\ncopy_from_sockptr include/linux/sockptr.h:55 [inline]\ndo_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\ndo_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\nnf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\ndo_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n__sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n__do_sys_setsockopt net/socket.c:2343 [inline]\n__se_sys_setsockopt net/socket.c:2340 [inline]\n__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\ndo_syscall_64+0xfb/0x240\nentry_SYSCALL_64_after_hwframe+0x72/0x7a\nRIP: 0033:0x7fd22067dde9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\n</TASK>\nAllocated by task 7238:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3f/0x80 mm/kasan/common.c:68\npoison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\nkasan_kmalloc include/linux/kasan.h:211 [inline]\n__do_kmalloc_node mm/slub.c:4069 [inline]\n__kmalloc_noprof+0x200/0x410 mm/slub.c:4082\nkmalloc_noprof include/linux/slab.h:664 [inline]\n__cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\ndo_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n__sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n__do_sys_setsockopt net/socket.c:2343 [inline]\n__se_sys_setsockopt net/socket.c:2340 [inline]\n__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\ndo_syscall_64+0xfb/0x240\nentry_SYSCALL_64_after_hwframe+0x72/0x7a\nThe buggy address belongs to the object at ffff88802cd73da0\nwhich belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\nallocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\npage_type: 0xffffefff(slab)\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\n---truncated---", "CVE-2024-35896 is a vulnerability in the Linux kernel's Netfilter component, where the setsockopt function fails to properly validate the length of user-supplied data before copying it into kernel space. This oversight can lead to out-of-bounds memory access, potentially causing system crashes or allowing attackers to execute arbitrary code. The issue has been addressed by implementing appropriate checks on the optlen argument to ensure data is correctly sized before being processed. Users are advised to update their Linux kernel to a version that includes this fix to mitigate potential risks." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-08-08T00:00:00Z",
    "advisory" : "RHSA-2024:5102",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-08-08T00:00:00Z",
    "advisory" : "RHSA-2024:5101",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.16.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-28T00:00:00Z",
    "advisory" : "RHSA-2024:5928",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.33.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-28T00:00:00Z",
    "advisory" : "RHSA-2024:5928",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.33.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5066",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.77.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5067",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.77.1.rt14.362.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-35896\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35896\nhttps://lore.kernel.org/linux-cve-announce/2024051950-CVE-2024-35896-e6b5@gregkh/T" ],
  "name" : "CVE-2024-35896",
  "csaw" : false
}