CVE-2024-35893
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-35893
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-35893.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-35893
- Downstream
- Related
- Published
- 2024-05-19T08:34:48.737Z
- Modified
- 2025-11-26T19:33:58.807267Z
- Summary
- net/sched: act_skbmod: prevent kernel-infoleak
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_skbmod: prevent kernel-infoleak
syzbot found that tcfskbmoddump() was copying four bytes from kernel stack to user space [1].
The issue here is that 'struct tc_skbmod' has a four bytes hole.
We need to clear the structure before filling fields.
[1] BUG: KMSAN: kernel-infoleak in instrumentcopytouser include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copytouseriter lib/ioviter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterateubuf include/linux/ioviter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterateandadvance2 include/linux/ioviter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterateandadvance include/linux/ioviter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copytoiter+0x366/0x2520 lib/ioviter.c:185 instrumentcopytouser include/linux/instrumented.h:114 [inline] copytouseriter lib/ioviter.c:24 [inline] iterateubuf include/linux/ioviter.h:29 [inline] iterateandadvance2 include/linux/ioviter.h:245 [inline] iterateandadvance include/linux/ioviter.h:271 [inline] _copytoiter+0x366/0x2520 lib/ioviter.c:185 copytoiter include/linux/uio.h:196 [inline] simplecopytoiter net/core/datagram.c:532 [inline] _skbdatagramiter+0x185/0x1000 net/core/datagram.c:420 skbcopydatagramiter+0x5c/0x200 net/core/datagram.c:546 skbcopydatagrammsg include/linux/skbuff.h:4050 [inline] netlinkrecvmsg+0x432/0x1610 net/netlink/afnetlink.c:1962 sockrecvmsgnosec net/socket.c:1046 [inline] sockrecvmsg+0x2c4/0x340 net/socket.c:1068 _sysrecvfrom+0x35a/0x5f0 net/socket.c:2242 _dosysrecvfrom net/socket.c:2260 [inline] _sesysrecvfrom net/socket.c:2256 [inline] _x64sysrecvfrom+0x126/0x1d0 net/socket.c:2256 dosyscall64+0xd5/0x1f0 entrySYSCALL64afterhwframe+0x6d/0x75
Uninit was stored to memory at: pskbexpandhead+0x30f/0x19d0 net/core/skbuff.c:2253 netlinktrim+0x2c2/0x330 net/netlink/afnetlink.c:1317 netlinkunicast+0x9f/0x1260 net/netlink/afnetlink.c:1351 nlmsgunicast include/net/netlink.h:1144 [inline] nlmsgnotify+0x21d/0x2f0 net/netlink/afnetlink.c:2610 rtnetlinksend+0x73/0x90 net/core/rtnetlink.c:741 rtnetlinkmaybesend include/linux/rtnetlink.h:17 [inline] tcfaddnotify net/sched/actapi.c:2048 [inline] tcfactionadd net/sched/actapi.c:2071 [inline] tcctlaction+0x146e/0x19d0 net/sched/actapi.c:2119 rtnetlinkrcvmsg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlinkrcvskb+0x375/0x650 net/netlink/afnetlink.c:2559 rtnetlinkrcv+0x34/0x40 net/core/rtnetlink.c:6613 netlinkunicastkernel net/netlink/afnetlink.c:1335 [inline] netlinkunicast+0xf4c/0x1260 net/netlink/afnetlink.c:1361 netlinksendmsg+0x10df/0x11f0 net/netlink/afnetlink.c:1905 socksendmsgnosec net/socket.c:730 [inline] socksendmsg+0x30f/0x380 net/socket.c:745 _syssendmsg+0x877/0xb60 net/socket.c:2584 _syssendmsg+0x28d/0x3c0 net/socket.c:2638 _syssendmsg net/socket.c:2667 [inline] _dosyssendmsg net/socket.c:2676 [inline] _sesyssendmsg net/socket.c:2674 [inline] _x64syssendmsg+0x307/0x4a0 net/socket.c:2674 dosyscall64+0xd5/0x1f0 entrySYSCALL64after_hwframe+0x6d/0x75
Uninit was stored to memory at: _nlaput lib/nlattr.c:1041 [inline] nlaput+0x1c6/0x230 lib/nlattr.c:1099 tcfskbmoddump+0x23f/0xc20 net/sched/actskbmod.c:256 tcfactiondumpold net/sched/actapi.c:1191 [inline] tcfactiondump1+0x85e/0x970 net/sched/actapi.c:1227 tcfactiondump+0x1fd/0x460 net/sched/actapi.c:1251 tcagetfill+0x519/0x7a0 net/sched/actapi.c:1628 tcfaddnotifymsg net/sched/actapi.c:2023 [inline] tcfaddnotify net/sched/actapi.c:2042 [inline] tcfactionadd net/sched/actapi.c:2071 [inline] tcctlaction+0x1365/0x19d0 net/sched/actapi.c:2119 rtnetlinkrcvmsg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlinkrcvskb+0x375/0x650 net/netlink/afnetli ---truncated---
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/9c3874e559580d6c6ec8d449812ac11277724770/cves/2024/35xxx/CVE-2024-35893.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366
- https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5
- https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924
- https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c
- https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14
- https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd
- https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec
- https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced86da71b57383d40993cb90baafb3735cffe5d800Fixedf190a4aa03cbd518bd9c62a66e1233984f5fd2ec
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced86da71b57383d40993cb90baafb3735cffe5d800Fixedf356eb2fb567e0931143ac1769ac802d3b3e2077
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced86da71b57383d40993cb90baafb3735cffe5d800Fixed5e45dc4408857305f4685abfd7a528a1e58b51b5
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced86da71b57383d40993cb90baafb3735cffe5d800Fixeda097fc199ab5f4b5392c5144034c0d2148b55a14
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced86da71b57383d40993cb90baafb3735cffe5d800Fixed55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced86da71b57383d40993cb90baafb3735cffe5d800Fixed729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced86da71b57383d40993cb90baafb3735cffe5d800Fixed7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced86da71b57383d40993cb90baafb3735cffe5d800Fixedd313eb8b77557a6d5855f42d2234bd592c7b50dd
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced4.9.0Fixed4.19.312
- Type
- ECOSYSTEM
- Events
-
Introduced4.20.0Fixed5.4.274
- Type
- ECOSYSTEM
- Events
-
Introduced5.5.0Fixed5.10.215
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.154
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.85
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.26
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.8.5