First published: Thu Apr 04 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter syzbot reported the following uninit-value access issue [1]: netlink_to_full_skb() creates a new `skb` and puts the `skb->data` passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data size is specified as `len` and passed to skb_put_data(). This `len` is based on `skb->end` that is not data offset but buffer offset. The `skb->end` contains data and tailroom. Since the tailroom is not initialized when the new `skb` created, KMSAN detects uninitialized memory area when copying the data. This patch resolved this issue by correct the len from `skb->end` to `skb->len`, which is the actual data offset. BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 copy_to_iter include/linux/uio.h:197 [inline] simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532 __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg net/socket.c:1066 [inline] sock_read_iter+0x467/0x580 net/socket.c:1136 call_read_iter include/linux/fs.h:2014 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x8f6/0xe00 fs/read_write.c:470 ksys_read+0x20f/0x4c0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x93/0xd0 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was stored to memory at: skb_put_data include/linux/skbuff.h:2622 [inline] netlink_to_full_skb net/netlink/af_netlink.c:181 [inline] __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline] __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325 netlink_deliver_tap net/netlink/af_netlink.c:338 [inline] netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline] netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: free_pages_prepare mm/page_alloc.c:1087 [inline] free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347 free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533 release_pages+0x23d3/0x2410 mm/swap.c:1042 free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316 tlb_batch_pages ---truncated---
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Software | Affected Version | How to fix |
---|---|---|
ubuntu/linux | <4.15.0-225.237 | 4.15.0-225.237 |
ubuntu/linux | <5.4.0-186.206 | 5.4.0-186.206 |
ubuntu/linux | <5.15.0-112.122 | 5.15.0-112.122 |
ubuntu/linux | <6.5.0-35.35 | 6.5.0-35.35 |
ubuntu/linux | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux | <4.4.0-254.288 | 4.4.0-254.288 |
ubuntu/linux-aws | <4.15.0-1168.181 | 4.15.0-1168.181 |
ubuntu/linux-aws | <5.4.0-1126.136 | 5.4.0-1126.136 |
ubuntu/linux-aws | <5.15.0-1063.69 | 5.15.0-1063.69 |
ubuntu/linux-aws | <6.5.0-1020.20 | 6.5.0-1020.20 |
ubuntu/linux-aws | <4.4.0-1131.137 | 4.4.0-1131.137 |
ubuntu/linux-aws | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-aws | <4.4.0-1169.184 | 4.4.0-1169.184 |
ubuntu/linux-aws-5.15 | <5.15.0-1063.69~20.04.1 | 5.15.0-1063.69~20.04.1 |
ubuntu/linux-aws-5.15 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-aws-5.4 | <5.4.0-1126.136~18.04.1 | 5.4.0-1126.136~18.04.1 |
ubuntu/linux-aws-5.4 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-aws-6.5 | <6.5.0-1020.20~22.04.1 | 6.5.0-1020.20~22.04.1 |
ubuntu/linux-aws-6.5 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-aws-fips | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-aws-hwe | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-aws-hwe | <4.15.0-1168.181~16.04.1 | 4.15.0-1168.181~16.04.1 |
ubuntu/linux-azure | <5.4.0-1131.138 | 5.4.0-1131.138 |
ubuntu/linux-azure | <5.15.0-1066.75 | 5.15.0-1066.75 |
ubuntu/linux-azure | <6.5.0-1021.22 | 6.5.0-1021.22 |
ubuntu/linux-azure | <4.15.0-1177.192~14.04.1 | 4.15.0-1177.192~14.04.1 |
ubuntu/linux-azure | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-azure | <4.15.0-1177.192~16.04.1 | 4.15.0-1177.192~16.04.1 |
ubuntu/linux-azure-4.15 | <4.15.0-1177.192 | 4.15.0-1177.192 |
ubuntu/linux-azure-4.15 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-azure-5.15 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-azure-5.4 | <5.4.0-1131.138~18.04.1 | 5.4.0-1131.138~18.04.1 |
ubuntu/linux-azure-5.4 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-azure-6.5 | <6.5.0-1021.22~22.04.1 | 6.5.0-1021.22~22.04.1 |
ubuntu/linux-azure-6.5 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-azure-fde | <5.15.0-1067.76.1 | 5.15.0-1067.76.1 |
ubuntu/linux-azure-fde | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-azure-fde-5.15 | <5.15.0-1065.74~20.04.1.1 | 5.15.0-1065.74~20.04.1.1 |
ubuntu/linux-azure-fde-5.15 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-azure-fips | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-bluefield | <5.4.0-1086.93 | 5.4.0-1086.93 |
ubuntu/linux-bluefield | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-fips | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-gcp | <5.4.0-1130.139 | 5.4.0-1130.139 |
ubuntu/linux-gcp | <5.15.0-1062.70 | 5.15.0-1062.70 |
ubuntu/linux-gcp | <6.5.0-1020.20 | 6.5.0-1020.20 |
ubuntu/linux-gcp | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-gcp | <4.15.0-1162.179~16.04.1 | 4.15.0-1162.179~16.04.1 |
ubuntu/linux-gcp-4.15 | <4.15.0-1162.179 | 4.15.0-1162.179 |
ubuntu/linux-gcp-4.15 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-gcp-5.15 | <5.15.0-1062.70~20.04.1 | 5.15.0-1062.70~20.04.1 |
ubuntu/linux-gcp-5.15 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-gcp-5.4 | <5.4.0-1130.139~18.04.1 | 5.4.0-1130.139~18.04.1 |
ubuntu/linux-gcp-5.4 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-gcp-6.5 | <6.5.0-1020.20~22.04.1 | 6.5.0-1020.20~22.04.1 |
ubuntu/linux-gcp-6.5 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-gcp-fips | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-gke | <5.15.0-1060.66 | 5.15.0-1060.66 |
ubuntu/linux-gke | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-gkeop | <5.4.0-1093.97 | 5.4.0-1093.97 |
ubuntu/linux-gkeop | <5.15.0-1046.53 | 5.15.0-1046.53 |
ubuntu/linux-gkeop | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-gkeop-5.15 | <5.15.0-1046.53~20.04.1 | 5.15.0-1046.53~20.04.1 |
ubuntu/linux-gkeop-5.15 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-hwe | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-hwe | <4.15.0-225.237~16.04.1 | 4.15.0-225.237~16.04.1 |
ubuntu/linux-hwe-5.15 | <5.15.0-113.123~20.04.1 | 5.15.0-113.123~20.04.1 |
ubuntu/linux-hwe-5.15 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-hwe-5.4 | <5.4.0-186.206~18.04.1 | 5.4.0-186.206~18.04.1 |
ubuntu/linux-hwe-5.4 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-hwe-6.5 | <6.5.0-35.35~22.04.1 | 6.5.0-35.35~22.04.1 |
ubuntu/linux-hwe-6.5 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-ibm | <5.4.0-1073.78 | 5.4.0-1073.78 |
ubuntu/linux-ibm | <5.15.0-1056.59 | 5.15.0-1056.59 |
ubuntu/linux-ibm | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-ibm-5.15 | <5.15.0-1057.60~20.04.1 | 5.15.0-1057.60~20.04.1 |
ubuntu/linux-ibm-5.15 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-ibm-5.4 | <5.4.0-1073.78~18.04.1 | 5.4.0-1073.78~18.04.1 |
ubuntu/linux-ibm-5.4 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-intel | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-intel-iotg | <5.15.0-1058.64 | 5.15.0-1058.64 |
ubuntu/linux-intel-iotg | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-intel-iotg-5.15 | <5.15.0-1058.64~20.04.1 | 5.15.0-1058.64~20.04.1 |
ubuntu/linux-intel-iotg-5.15 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-iot | <5.4.0-1038.39 | 5.4.0-1038.39 |
ubuntu/linux-iot | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-kvm | <4.15.0-1152.157 | 4.15.0-1152.157 |
ubuntu/linux-kvm | <5.4.0-1114.121 | 5.4.0-1114.121 |
ubuntu/linux-kvm | <5.15.0-1060.65 | 5.15.0-1060.65 |
ubuntu/linux-kvm | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-kvm | <4.4.0-1132.142 | 4.4.0-1132.142 |
ubuntu/linux-laptop | <6.5.0-1016.19 | 6.5.0-1016.19 |
ubuntu/linux-laptop | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-lowlatency | <5.15.0-110.120 | 5.15.0-110.120 |
ubuntu/linux-lowlatency | <6.5.0-35.35.1 | 6.5.0-35.35.1 |
ubuntu/linux-lowlatency | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-lowlatency-hwe-5.15 | <5.15.0-110.120~20.04.1 | 5.15.0-110.120~20.04.1 |
ubuntu/linux-lowlatency-hwe-5.15 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-lowlatency-hwe-6.5 | <6.5.0-35.35.1~22.04.1 | 6.5.0-35.35.1~22.04.1 |
ubuntu/linux-lowlatency-hwe-6.5 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-lts-xenial | <4.4.0-254.288~14.04.1 | 4.4.0-254.288~14.04.1 |
ubuntu/linux-lts-xenial | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-nvidia | <5.15.0-1058.59 | 5.15.0-1058.59 |
ubuntu/linux-nvidia | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-nvidia-6.5 | <6.5.0-1019.19 | 6.5.0-1019.19 |
ubuntu/linux-nvidia-6.5 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-oem-6.5 | <6.5.0-1023.24 | 6.5.0-1023.24 |
ubuntu/linux-oem-6.5 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-oem-6.8 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-oracle | <4.15.0-1131.142 | 4.15.0-1131.142 |
ubuntu/linux-oracle | <5.4.0-1125.134 | 5.4.0-1125.134 |
ubuntu/linux-oracle | <5.15.0-1061.67 | 5.15.0-1061.67 |
ubuntu/linux-oracle | <6.5.0-1023.23 | 6.5.0-1023.23 |
ubuntu/linux-oracle | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-oracle | <4.15.0-1131.142~16.04.1 | 4.15.0-1131.142~16.04.1 |
ubuntu/linux-oracle-5.15 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-oracle-5.4 | <5.4.0-1125.134~18.04.1 | 5.4.0-1125.134~18.04.1 |
ubuntu/linux-oracle-5.4 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-oracle-6.5 | <6.5.0-1023.23~22.04.1 | 6.5.0-1023.23~22.04.1 |
ubuntu/linux-oracle-6.5 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-raspi | <5.4.0-1110.122 | 5.4.0-1110.122 |
ubuntu/linux-raspi | <6.5.0-1017.20 | 6.5.0-1017.20 |
ubuntu/linux-raspi | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-raspi-5.4 | <5.4.0-1110.122~18.04.1 | 5.4.0-1110.122~18.04.1 |
ubuntu/linux-raspi-5.4 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-riscv | <6.5.0-35.35.1 | 6.5.0-35.35.1 |
ubuntu/linux-riscv | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-riscv-5.15 | <5.15.0-1059.63~20.04.1 | 5.15.0-1059.63~20.04.1 |
ubuntu/linux-riscv-5.15 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-riscv-6.5 | <6.5.0-35.35.1~22.04.1 | 6.5.0-35.35.1~22.04.1 |
ubuntu/linux-riscv-6.5 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-starfive | <6.5.0-1014.15 | 6.5.0-1014.15 |
ubuntu/linux-starfive | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-starfive-6.5 | <6.5.0-1014.15~22.04.1 | 6.5.0-1014.15~22.04.1 |
ubuntu/linux-starfive-6.5 | <6.8~<3.13. | 6.8~ 3.13. |
ubuntu/linux-xilinx-zynqmp | <5.4.0-1045.49 | 5.4.0-1045.49 |
ubuntu/linux-xilinx-zynqmp | <5.15.0-1030.34 | 5.15.0-1030.34 |
ubuntu/linux-xilinx-zynqmp | <6.8~<3.13. | 6.8~ 3.13. |
debian/linux | 5.10.218-1 5.10.221-1 6.1.94-1 6.1.99-1 6.9.9-1 6.9.10-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)