CVE-2024-50033: slip: make slhc_remember() more robust against malicious packets
First published: Mon Oct 21 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: slip: make slhc_remember() more robust against malicious packets syzbot found that slhc_remember() was missing checks against malicious packets [1]. slhc_remember() only checked the size of the packet was at least 20, which is not good enough. We need to make sure the packet includes the IPv4 and TCP header that are supposed to be carried. Add iph and th pointers to make the code more readable. [1] BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455 ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline] ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212 ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327 pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113 __release_sock+0x1da/0x330 net/core/sock.c:3072 release_sock+0x6b/0x250 net/core/sock.c:3626 pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4091 [inline] slab_alloc_node mm/slub.c:4134 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1322 [inline] sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732 pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | >=3.2<5.10.227 | |
| Linux Kernel | >=5.11<5.15.168 | |
| Linux Kernel | >=5.16<6.1.113 | |
| Linux Kernel | >=6.2<6.6.57 | |
| Linux Kernel | >=6.7<6.11.4 | |
| Linux Kernel | =6.12-rc1 | |
| Linux Kernel | =6.12-rc2 | |
| debian/linux | <=5.10.223-1<=5.10.226-1 | 6.1.123-1 6.1.128-1 6.12.12-1 6.12.15-1 |
| debian/linux-6.1 | 6.1.119-1~deb11u1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/29e8d96d44f51cf89a62dd042be35d052833b95c
- https://git.kernel.org/stable/c/36b054324d18e51cf466134e13b6fbe3c91f52af
- https://git.kernel.org/stable/c/5e336384cc9b608e0551f99c3d87316ca3b0e51a
- https://git.kernel.org/stable/c/7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c
- https://git.kernel.org/stable/c/8bb79eb1db85a10865f0d4dd15b013def3f2d246
- https://git.kernel.org/stable/c/ba6501ea06462d6404d57d5644cf2854db38e7d7
- https://git.kernel.org/stable/c/ff5e0f895315706e4ca5a19df15be6866cee4f5d
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50033
- https://nvd.nist.gov/vuln/detail/CVE-2024-50033
- https://launchpad.net/bugs/cve/CVE-2024-50033
- https://security-tracker.debian.org/tracker/CVE-2024-50033
- https://ubuntu.com/security/CVE-2024-50033
- https://git.kernel.org/linus/7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c
Frequently Asked Questions
What is the severity of CVE-2024-50033?
CVE-2024-50033 has been rated as a vulnerability in the Linux kernel, necessitating attention for systems running affected versions.
Which versions of the Linux kernel are affected by CVE-2024-50033?
CVE-2024-50033 impacts Linux kernel versions ranging from 3.2 to 6.12-rc2.
How do I fix CVE-2024-50033?
To resolve CVE-2024-50033, update your Linux kernel to a fixed version such as 6.1.123-1 or later.
Is there a workaround for CVE-2024-50033?
There is no documented workaround for CVE-2024-50033; upgrading is the recommended mitigation.
What type of vulnerability is CVE-2024-50033?
CVE-2024-50033 is a robustness issue in the Linux kernel's slip protocol handling.
- agent/title
- agent/first-publish-date
- agent/type
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- collector/usn-cve
- source/Ubuntu
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/source
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- vendor/linux
- canonical/linux kernel
- version/linux kernel/3.2
- version/linux kernel/5.11
- version/linux kernel/5.16
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.12-rc1
- version/linux kernel/6.12-rc2
- package-manager/debian