CVE-2024-42272

{"id": "CVE-2024-42272", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-08-17T09:15:08.370", "references": [{"url": "https://git.kernel.org/stable/c/2191a54f63225b548fd8346be3611c3219a24738", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3a5b68869dbe14f1157c6a24ac71923db060eeab", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3ddefcb8f75e312535e2e7d5fef9932019ba60f2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7c03ab555eb1ba26c77fd7c25bdf44a0ac23edee", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d06daf0ad645d9225a3ff6958dd82e1f3988fa64", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d7cc186d0973afce0e1237c37f7512c01981fb79", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-908"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: act_ct: take care of padding in struct zones_ht_key\n\nBlamed commit increased lookup key size from 2 bytes to 16 bytes,\nbecause zones_ht_key got a struct net pointer.\n\nMake sure rhashtable_lookup() is not using the padding bytes\nwhich are not initialized.\n\n BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\n BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\n BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\n rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\n __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\n rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408\n tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425\n tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488\n tcf_action_add net/sched/act_api.c:2061 [inline]\n tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118\n rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665\n netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]\n netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357\n netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2597\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651\n __sys_sendmsg net/socket.c:2680 [inline]\n __do_sys_sendmsg net/socket.c:2689 [inline]\n __se_sys_sendmsg net/socket.c:2687 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687\n x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable key created at:\n tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: sched: act_ct: cuida el relleno en struct zonas_ht_key El commit culpada aument\u00f3 el tama\u00f1o de la clave de b\u00fasqueda de 2 bytes a 16 bytes, porque zonas_ht_key obtuvo un puntero de red de estructura. Aseg\u00farese de que rhashtable_lookup() no est\u00e9 utilizando los bytes de relleno que no est\u00e1n inicializados. ERROR: KMSAN: valor uninit en rht_ptr_rcu include/linux/rhashtable.h:376 [en l\u00ednea] ERROR: KMSAN: valor uninit en __rhashtable_lookup include/linux/rhashtable.h:607 [en l\u00ednea] ERROR: KMSAN: valor uninit en rhashtable_lookup include/linux/rhashtable.h:646 [en l\u00ednea] ERROR: KMSAN: valor uninit en rhashtable_lookup_fast include/linux/rhashtable.h:672 [en l\u00ednea] ERROR: KMSAN: valor uninit en tcf_ct_flow_table_get+0x611/0x2260 net/sched /act_ct.c:329 rht_ptr_rcu include/linux/rhashtable.h:376 [en l\u00ednea] __rhashtable_lookup include/linux/rhashtable.h:607 [en l\u00ednea] rhashtable_lookup include/linux/rhashtable.h:646 [en l\u00ednea] rhashtable_lookup_fast include/linux/ rhashtable.h:672 [en l\u00ednea] tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329 tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408 tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425 tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488 tcf_action_add net/sched/act_api.c:2061 [en l\u00ednea] tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118 rtnetlink_rcv_msg+0x12fc/0x1410 net /n\u00facleo/ rtnetlink.c:6647 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [en l\u00ednea] netlink_unicast+0xf52/ 0x1260 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:730 [en l\u00ednea] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_s mensaje final+0x877 /0xb60 net/socket.c:2597 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651 __sys_sendmsg net/socket.c:2680 [en l\u00ednea] __do_sys_sendmsg net/socket.c:2689 [en l\u00ednea] __se_sys_sendmsg net/socket. c: 2687 [en l\u00ednea] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687 x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea ] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 Entry_SYSCALL_64_after_hwframe+0x77/0x7f Clave de variable local creada en: tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324 tcf_ct_init+0xa67/0x2890 net /programado /act_ct.c:1408"}], "lastModified": "2024-09-30T13:40:21.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "301A0246-1161-4A6B-908F-525515AD5B20", "versionEndExcluding": "5.10.224", "versionStartIncluding": "5.10.221"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11D5C434-764B-4DCC-80A5-5AFDA2AEB21B", "versionEndExcluding": "5.15.165", "versionStartIncluding": "5.15.162"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D4BD3E8-CDA7-40DB-8B42-051B214E2DE3", "versionEndExcluding": "6.1.104", "versionStartIncluding": "6.1.96"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7A8DCF2-5022-498A-896B-D47AD8E08E9E", "versionEndExcluding": "6.6.45", "versionStartIncluding": "6.6.36"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA5E7970-A460-40EE-9BDE-6FFF21149DDA", "versionEndExcluding": "6.10", "versionStartIncluding": "6.9.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58294AC2-8D9E-4C90-B6EC-7C210C28ECB6", "versionEndExcluding": "6.10.4", "versionStartIncluding": "6.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B3CE743-2126-47A3-8B7C-822B502CF119"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}