CVE-2024-36927: ipv4: Fix uninit-value access in __ip_make_skb()
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Fix uninit-value access in ipmakeskb()
KMSAN reported uninit-value access in ipmakeskb() [1]. ipmakeskb() tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a race condition. If calling setsockopt(2) with IPHDRINCL changes HDRINCL while ipmakeskb() is running, the function will access icmphdr in the skb even if it is not included. This causes the issue reported by KMSAN.
Check FLOWIFLAGKNOWNNH on fl4->flowi4flags instead of testing HDRINCL on the socket.
Also, fl4->fl4icmptype and fl4->fl4icmpcode are not initialized. These are union in struct flowi4 and are implicitly initialized by flowi4initoutput(), but we should not rely on specific union layout.
Initialize these explicitly in rawsendmsg().
[1] BUG: KMSAN: uninit-value in ipmakeskb+0x2b74/0x2d20 net/ipv4/ipoutput.c:1481 ipmakeskb+0x2b74/0x2d20 net/ipv4/ipoutput.c:1481 ipfinishskb include/net/ip.h:243 [inline] ippushpendingframes+0x4c/0x5c0 net/ipv4/ipoutput.c:1508 rawsendmsg+0x2381/0x2690 net/ipv4/raw.c:654 inetsendmsg+0x27b/0x2a0 net/ipv4/afinet.c:851 socksendmsgnosec net/socket.c:730 [inline] socksendmsg+0x274/0x3c0 net/socket.c:745 syssendto+0x62c/0x7b0 net/socket.c:2191 dosyssendto net/socket.c:2203 [inline] sesyssendto net/socket.c:2199 [inline] x64syssendto+0x130/0x200 net/socket.c:2199 dosyscall64+0xd8/0x1f0 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x6d/0x75
Uninit was created at: slabpostallochook mm/slub.c:3804 [inline] slaballocnode mm/slub.c:3845 [inline] kmemcacheallocnode+0x5f6/0xc50 mm/slub.c:3888 kmallocreserve+0x13c/0x4a0 net/core/skbuff.c:577 allocskb+0x35a/0x7c0 net/core/skbuff.c:668 allocskb include/linux/skbuff.h:1318 [inline] ipappenddata+0x49ab/0x68c0 net/ipv4/ipoutput.c:1128 ipappenddata+0x1e7/0x260 net/ipv4/ipoutput.c:1365 rawsendmsg+0x22b1/0x2690 net/ipv4/raw.c:648 inetsendmsg+0x27b/0x2a0 net/ipv4/afinet.c:851 socksendmsgnosec net/socket.c:730 [inline] socksendmsg+0x274/0x3c0 net/socket.c:745 syssendto+0x62c/0x7b0 net/socket.c:2191 dosyssendto net/socket.c:2203 [inline] sesyssendto net/socket.c:2199 [inline] x64syssendto+0x130/0x200 net/socket.c:2199 dosyscall64+0xd8/0x1f0 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x6d/0x75
CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
Other sources
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Fix uninit-value access in ipmakeskb()
The Linux kernel CVE team has assigned CVE-2024-36927 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024053040-CVE-2024-36927-976e@gregkh/T
— Red Hat
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-36927?
CVE-2024-36927 has been identified as a vulnerability that can lead to an uninitialized value access in the Linux kernel, which may affect system stability.
How do I fix CVE-2024-36927?
To fix CVE-2024-36927, update your Linux kernel to version 6.6.31 or higher for Red Hat or to 5.10.223-1 or higher for Debian-based systems.
Which Linux kernel versions are affected by CVE-2024-36927?
CVE-2024-36927 affects Linux kernel versions from 4.14.315 up to but not including 6.6.31.
What systems are impacted by CVE-2024-36927?
CVE-2024-36927 impacts various Linux distributions including Red Hat and Debian that use vulnerable kernel versions.
Is there a workaround for CVE-2024-36927?
Currently, the recommended approach for CVE-2024-36927 is to apply the appropriate updates, as there are no known workarounds.