{ "threat_severity" : "Moderate", "public_date" : "2024-06-19T00:00:00Z", "bugzilla" : { "description" : "kernel: net: bridge: xmit: make sure we have at least eth header len bytes", "id" : "2293461", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2293461" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-99", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: bridge: xmit: make sure we have at least eth header len bytes\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\nwe can actually pull that amount instead of assuming.\nTested with dropwatch:\ndrop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\norigin: software\ntimestamp: Mon May 13 11:31:53 2024 778214037 nsec\nprotocol: 0x88a8\nlength: 2\noriginal length: 2\ndrop reason: PKT_TOO_SMALL\n[1]\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\nbr_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n__netdev_start_xmit include/linux/netdevice.h:4903 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4917 [inline]\nxmit_one net/core/dev.c:3531 [inline]\ndev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n__dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\ndev_queue_xmit include/linux/netdevice.h:3091 [inline]\n__bpf_tx_skb net/core/filter.c:2136 [inline]\n__bpf_redirect_common net/core/filter.c:2180 [inline]\n__bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\n____bpf_clone_redirect net/core/filter.c:2460 [inline]\nbpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\n___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n__bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\nbpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\n__bpf_prog_run include/linux/filter.h:657 [inline]\nbpf_prog_run include/linux/filter.h:664 [inline]\nbpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\nbpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\nbpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\n__sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\n__do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\n__se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\n__x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\nx64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f", "A vulnerability was found in the Linux kernel in the net: bridge component, where the xmit function in the bridge device could trigger an uninitialized value error if a short skb (less than the required ETH_HLEN bytes) is sent. This condition could cause unexpected behavior due to insufficient checks before pulling data from the packet, potentially leading to data inconsistency." ], "statement" : "This vulnerability in is classified as moderate severity because it requires local access and specific packet manipulation to exploit. While it may impact system stability, it does not broadly compromise system security, as its effects remain limited to certain packet-handling scenarios.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-08-08T00:00:00Z", "advisory" : "RHSA-2024:5102", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-08-08T00:00:00Z", "advisory" : "RHSA-2024:5101", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.16.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2024-08-13T00:00:00Z", "advisory" : "RHSA-2024:5255", "cpe" : "cpe:/o:redhat:rhel_eus:8.8", "package" : "kernel-0:4.18.0-477.67.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-08-14T00:00:00Z", "advisory" : "RHSA-2024:5364", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.79.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-08-14T00:00:00Z", "advisory" : "RHSA-2024:5365", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.79.1.rt14.364.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-38538\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38538\nhttps://lore.kernel.org/linux-cve-announce/2024061947-CVE-2024-38538-e28a@gregkh/T" ], "name" : "CVE-2024-38538", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }