CVE-2024-50142

In the Linux kernel, the following vulnerability has been resolved: xfrm: validate new SA's prefixlen using SA family when sel.family is unset This expands the validation introduced in commit 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.") syzbot created an SA with usersa.sel.family = AF_UNSPEC usersa.sel.prefixlen_s = 128 usersa.family = AF_INET Because of the AF_UNSPEC selector, verify_newsa_info doesn't put limits on prefixlen_{s,d}. But then copy_from_user_state sets x->sel.family to usersa.family (AF_INET). Do the same conversion in verify_newsa_info before validating prefixlen_{s,d}, since that's how prefixlen is going to be used later on.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/2d08a6c31c65f23db71a5385ee9cf9d8f9a67a71	Patch
https://git.kernel.org/stable/c/3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563	Patch
https://git.kernel.org/stable/c/401ad99a5ae7180dd9449eac104cb755f442e7f3	Patch
https://git.kernel.org/stable/c/7d9868180bd1e4cf37e7c5067362658971162366	Patch
https://git.kernel.org/stable/c/8df5cd51fd70c33aa1776e5cbcd82b0a86649d73	Patch
https://git.kernel.org/stable/c/bce1afaa212ec380bf971614f70909a27882b862	Patch
https://git.kernel.org/stable/c/e68dd80ba498265d2266b12dc3459164f4ff0c4a	Patch
https://git.kernel.org/stable/c/f31398570acf0f0804c644006f7bfa9067106b0a	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc4::::::

History

22 Nov 2024, 16:47

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
First Time		Linux linux Kernel Linux
References	~~() https://git.kernel.org/stable/c/2d08a6c31c65f23db71a5385ee9cf9d8f9a67a71 -~~	() https://git.kernel.org/stable/c/2d08a6c31c65f23db71a5385ee9cf9d8f9a67a71 - Patch
References	~~() https://git.kernel.org/stable/c/3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563 -~~	() https://git.kernel.org/stable/c/3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563 - Patch
References	~~() https://git.kernel.org/stable/c/401ad99a5ae7180dd9449eac104cb755f442e7f3 -~~	() https://git.kernel.org/stable/c/401ad99a5ae7180dd9449eac104cb755f442e7f3 - Patch
References	~~() https://git.kernel.org/stable/c/7d9868180bd1e4cf37e7c5067362658971162366 -~~	() https://git.kernel.org/stable/c/7d9868180bd1e4cf37e7c5067362658971162366 - Patch
References	~~() https://git.kernel.org/stable/c/8df5cd51fd70c33aa1776e5cbcd82b0a86649d73 -~~	() https://git.kernel.org/stable/c/8df5cd51fd70c33aa1776e5cbcd82b0a86649d73 - Patch
References	~~() https://git.kernel.org/stable/c/bce1afaa212ec380bf971614f70909a27882b862 -~~	() https://git.kernel.org/stable/c/bce1afaa212ec380bf971614f70909a27882b862 - Patch
References	~~() https://git.kernel.org/stable/c/e68dd80ba498265d2266b12dc3459164f4ff0c4a -~~	() https://git.kernel.org/stable/c/e68dd80ba498265d2266b12dc3459164f4ff0c4a - Patch
References	~~() https://git.kernel.org/stable/c/f31398570acf0f0804c644006f7bfa9067106b0a -~~	() https://git.kernel.org/stable/c/f31398570acf0f0804c644006f7bfa9067106b0a - Patch
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:o:linux:linux_kernel:6.12:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.12:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.12:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.12:rc3:::::: cpe:2.3:o:linux:linux_kernel::::::::

08 Nov 2024, 16:15

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/401ad99a5ae7180dd9449eac104cb755f442e7f3 - () https://git.kernel.org/stable/c/8df5cd51fd70c33aa1776e5cbcd82b0a86649d73 - () https://git.kernel.org/stable/c/f31398570acf0f0804c644006f7bfa9067106b0a -
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: xfrm: validar el prefijo de la nueva SA usando la familia de SA cuando sel.family no está configurado Esto expande la validación introducida en el commit 07bf7908950a ("xfrm: validar las longitudes de prefijo de dirección en el selector xfrm"). syzbot creó una SA con usersa.sel.family = AF_UNSPEC usersa.sel.prefixlen_s = 128 usersa.family = AF_INET Debido al selector AF_UNSPEC, verificar_newsa_info no pone límites en prefixlen_{s,d}. Pero luego copy_from_user_state establece x->sel.family en usersa.family (AF_INET). Realice la misma conversión en verificar_newsa_info antes de validar prefixlen_{s,d}, ya que así es como se usará prefixlen más adelante.

07 Nov 2024, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-07 10:15

Updated : 2024-11-22 16:47

NVD link : CVE-2024-50142

Mitre link : CVE-2024-50142

CVE.ORG link : CVE-2024-50142

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

5.5 /10