cbcvebase.
CVE-2024-26733
published 2024-04-03

CVE-2024-26733: In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in…

medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible array in struct sockaddr") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS

Affected

25 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianlinux< linux 6.1.82-1 (bookworm)linux 6.1.82-1 (bookworm)
linuxlinux
linuxlinux>= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587
linuxlinux>= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 97eaa2955db4120ce6ec2ef123e860bc32232c5097eaa2955db4120ce6ec2ef123e860bc32232c50
linuxlinux>= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < f119f2325ba70cbfdec701000dcad4d88805d5b0f119f2325ba70cbfdec701000dcad4d88805d5b0
linuxlinux>= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < a3f2c083cb575d80a7627baf3339e78fedccbb91a3f2c083cb575d80a7627baf3339e78fedccbb91
linuxlinux>= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a
linuxlinux>= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < a7d6027790acea24446ddd6632d394096c0f4667a7d6027790acea24446ddd6632d394096c0f4667
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel>= 0 < 5.10.216-15.10.216-1
linuxlinux_kernel>= 0 < 6.1.82-16.1.82-1
linuxlinux_kernel>= 0 < 6.7.7-16.7.7-1
linuxlinux_kernel>= 0 < 6.7.7-16.7.7-1
linuxlinux_kernel>= 0 < 5.4.0-186.2065.4.0-186.206
linuxlinux_kernel>= 0 < 5.15.0-112.1225.15.0-112.122
linuxlinux_kernel>= 0 < 4.4.0-259.2934.4.0-259.293
linuxlinux_kernel>= 0 < 4.15.0-229.2414.15.0-229.241
linuxlinux_kernel>= 2.6.12 < 5.10.2115.10.211
linuxlinux_kernel>= 5.11 < 5.15.1505.15.150
linuxlinux_kernel>= 5.16 < 6.1.806.1.80
linuxlinux_kernel>= 6.2 < 6.6.196.6.19
linuxlinux_kernel>= 6.7 < 6.7.76.7.7
netappe-series_santricity_os_controller11.0.0 – 11.70.2

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv7.8HIGH