In the Linux kernel, the following vulnerability has been resolved:
Squashfs: sanity check symbolic link size
Syzkiller reports a "KMSAN: uninit-value in pick_link" bug.
This is caused by an uninitialised page, which is ultimately caused
by a corrupted symbolic link size read from disk.
The reason why the corrupted symlink size causes an uninitialised
page is due to the following sequence of events:
1. squashfs_read_inode() is called to read the symbolic
link from disk. This assigns the corrupted value
3875536935 to inode->i_size.
2. Later squashfs_symlink_read_folio() is called, which assigns
this corrupted value to the length variable, which being a
signed int, overflows producing a negative number.
3. The following loop that fills in the page contents checks that
the copied bytes is less than length, which being negative means
the loop is skipped, producing an uninitialised page.
This patch adds a sanity check which checks that the symbolic
link size is not larger than expected.
--
V2: fix spelling mistake.
References
Configurations
Configuration 1 (hide)
|
History
30 Sep 2024, 13:36
Type | Values Removed | Values Added |
---|---|---|
First Time |
Linux linux Kernel
Linux |
|
CPE | cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
References | () https://git.kernel.org/stable/c/087f25b2d36adae19951114ffcbb7106ed405ebb - Patch | |
References | () https://git.kernel.org/stable/c/1b9451ba6f21478a75288ea3e3fca4be35e2a438 - Patch | |
References | () https://git.kernel.org/stable/c/5c8906de98d0d7ad42ff3edf2cb6cd7e0ea658c4 - Patch | |
References | () https://git.kernel.org/stable/c/810ee43d9cd245d138a2733d87a24858a23f577d - Patch | |
References | () https://git.kernel.org/stable/c/c3af7e460a526007e4bed1ce3623274a1a6afe5e - Patch | |
References | () https://git.kernel.org/stable/c/ef4e249971eb77ec33d74c5c3de1e2576faf6c90 - Patch | |
References | () https://git.kernel.org/stable/c/f82cb7f24032ed023fc67d26ea9bf322d8431a90 - Patch | |
References | () https://git.kernel.org/stable/c/fac5e82ab1334fc8ed6ff7183702df634bd1d93d - Patch | |
CWE | CWE-59 |
20 Sep 2024, 12:30
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
18 Sep 2024, 08:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-18 08:15
Updated : 2024-09-30 13:36
NVD link : CVE-2024-46744
Mitre link : CVE-2024-46744
CVE.ORG link : CVE-2024-46744
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-59
Improper Link Resolution Before File Access ('Link Following')