In the Linux kernel, the following vulnerability has been resolved:
nbd: always initialize struct msghdr completely
syzbot complains that msg->msggetinq value can be uninitialized [1]
struct msghdr got many new fields recently, we should always make sure their values is zero by default.
[1] BUG: KMSAN: uninit-value in tcprecvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 tcprecvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 inetrecvmsg+0x131/0x580 net/ipv4/afinet.c:879 sockrecvmsgnosec net/socket.c:1044 [inline] sockrecvmsg+0x12b/0x1e0 net/socket.c:1066 _sockxmit+0x236/0x5c0 drivers/block/nbd.c:538 nbdreadreply drivers/block/nbd.c:732 [inline] recvwork+0x262/0x3100 drivers/block/nbd.c:863 processonework kernel/workqueue.c:2627 [inline] processscheduledworks+0x104e/0x1e70 kernel/workqueue.c:2700 workerthread+0xf45/0x1490 kernel/workqueue.c:2781 kthread+0x3ed/0x540 kernel/kthread.c:388 retfromfork+0x66/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x11/0x20 arch/x86/entry/entry_64.S:242
Local variable msg created at: _sockxmit+0x4c/0x5c0 drivers/block/nbd.c:513 nbdreadreply drivers/block/nbd.c:732 [inline] recv_work+0x262/0x3100 drivers/block/nbd.c:863
CPU: 1 PID: 7465 Comm: kworker/u5:1 Not tainted 6.7.0-rc7-syzkaller-00041-gf016f7547aee #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Workqueue: nbd5-recv recv_work
{ "vanir_signatures": [ { "signature_type": "Function", "target": { "file": "drivers/block/nbd.c", "function": "__sock_xmit" }, "signature_version": "v1", "digest": { "length": 843.0, "function_hash": "127111094330557077426269738594781097095" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9c54763e5cdbbd3f81868597fe8aca3c96e6387", "deprecated": false, "id": "CVE-2024-26638-53f8aa20" }, { "signature_type": "Function", "target": { "file": "drivers/block/nbd.c", "function": "__sock_xmit" }, "signature_version": "v1", "digest": { "length": 885.0, "function_hash": "260752224909796851271360545059343979863" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1960f2b534da1e6c65fb96f9e98bda773495f406", "deprecated": false, "id": "CVE-2024-26638-7fc05286" }, { "signature_type": "Line", "target": { "file": "drivers/block/nbd.c" }, "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "53270969597173793261042203421524886920", "340244257594861203912086009649971144717", "46016536618787779205332480409887258410", "326430951206264093354088788398036568138", "298532151071420019530946249036016740083", "125730847816707162484217513417941582838", "123693172889426091606629958431364135505", "245993348783721138282621533013681830311", "305894966972545186588663690220562903108", "16410481754945380189905508054116281182", "133258763409015438362589366260953061480" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b0028f333420a65a53a63978522db680b37379dd", "deprecated": false, "id": "CVE-2024-26638-9d5aa945" }, { "signature_type": "Line", "target": { "file": "drivers/block/nbd.c" }, "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "53270969597173793261042203421524886920", "340244257594861203912086009649971144717", "46016536618787779205332480409887258410", "326430951206264093354088788398036568138", "298532151071420019530946249036016740083", "125730847816707162484217513417941582838", "123693172889426091606629958431364135505", "245993348783721138282621533013681830311", "305894966972545186588663690220562903108", "16410481754945380189905508054116281182", "133258763409015438362589366260953061480" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1960f2b534da1e6c65fb96f9e98bda773495f406", "deprecated": false, "id": "CVE-2024-26638-af761813" }, { "signature_type": "Function", "target": { "file": "drivers/block/nbd.c", "function": "__sock_xmit" }, "signature_version": "v1", "digest": { "length": 885.0, "function_hash": "260752224909796851271360545059343979863" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b0028f333420a65a53a63978522db680b37379dd", "deprecated": false, "id": "CVE-2024-26638-b7d3612f" }, { "signature_type": "Line", "target": { "file": "drivers/block/nbd.c" }, "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "53270969597173793261042203421524886920", "340244257594861203912086009649971144717", "46016536618787779205332480409887258410", "326430951206264093354088788398036568138", "121882886380709108498909943193826247618", "127939728620773780677636857301463625713", "152056705207112753058403507421321083636", "245993348783721138282621533013681830311", "305894966972545186588663690220562903108", "16410481754945380189905508054116281182", "133258763409015438362589366260953061480" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9c54763e5cdbbd3f81868597fe8aca3c96e6387", "deprecated": false, "id": "CVE-2024-26638-cacbd8a4" }, { "signature_type": "Function", "target": { "file": "drivers/block/nbd.c", "function": "__sock_xmit" }, "signature_version": "v1", "digest": { "length": 885.0, "function_hash": "260752224909796851271360545059343979863" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@78fbb92af27d0982634116c7a31065f24d092826", "deprecated": false, "id": "CVE-2024-26638-f78c1bc0" }, { "signature_type": "Line", "target": { "file": "drivers/block/nbd.c" }, "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "53270969597173793261042203421524886920", "340244257594861203912086009649971144717", "46016536618787779205332480409887258410", "326430951206264093354088788398036568138", "298532151071420019530946249036016740083", "125730847816707162484217513417941582838", "123693172889426091606629958431364135505", "245993348783721138282621533013681830311", "305894966972545186588663690220562903108", "16410481754945380189905508054116281182", "133258763409015438362589366260953061480" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@78fbb92af27d0982634116c7a31065f24d092826", "deprecated": false, "id": "CVE-2024-26638-ff519f6b" } ] }