U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-26613

Change History

CVE Translated by kernel.org 3/12/2024 10:15:07 AM

Action Type Old Value New Value
Removed Translation
Title: kernel de Linux
Description: En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net/rds: Corrección de UBSAN: array-index-out-of-bounds en rds_cmsg_recv El bloqueo de Syzcaller UBSAN ocurre en rds_cmsg_recv(), que dice inc->i_rx_lat_trace[j + 1] con índice 4 (3 + 1), pero con tamaño de matriz de 4 (RDS_RX_MAX_TRACES). Aquí 'j' se asigna desde rs->rs_rx_trace[i] y, a su vez, desde trace.rx_trace_pos[i] en rds_recv_track_latency(), con ambas matrices de tamaño 3 (RDS_MSG_RX_DGRAM_TRACE_MAX). Así que arregle la verificación de los límites fuera de uno en rds_recv_track_latency() para evitar un posible fallo en rds_cmsg_recv(). Encontrado por syzcaller: ================================================ =================== UBSAN: índice de matriz fuera de los límites en net/rds/recv.c:585:39 el índice 4 está fuera de rango para el tipo 'u64 [4]' CPU: 1 PID: 8058 Comm: syz-executor228 No contaminado 6.6.0-gd2f51b3516da #1 Nombre del hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/ Seguimiento de llamadas de 2014:  __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [en línea] __ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan. c:348 rds_cmsg_recv+0x60d/0x700 net/rds/recv.c:585 rds_recvmsg+0x3fb/0x1610 net/rds/recv.c:716 sock_recvmsg_nosec net/socket.c:1044 [en línea] sock_recvmsg+0xe2/0x1 60 netos/toma .c:1066 __sys_recvfrom+0x1b6/0x2f0 net/socket.c:2246 __do_sys_recvfrom net/socket.c:2264 [en línea] __se_sys_recvfrom net/socket.c:2260 [en línea] __x64_sys_recvfrom+0xe0/0x1b0 net/socket .c:2260 do_syscall_x64 arch/x86/entry/common.c:51 [en línea] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 Entry_SYSCALL_64_after_hwframe+0x63/0x6b =============== ==================================================== ==

								
						

CVE Modified by kernel.org 3/12/2024 10:15:07 AM

Action Type Old Value New Value
Changed Description
In the Linux kernel, the following vulnerability has been resolved:

net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv

Syzcaller UBSAN crash occurs in rds_cmsg_recv(),
which reads inc->i_rx_lat_trace[j + 1] with index 4 (3 + 1),
but with array size of 4 (RDS_RX_MAX_TRACES).
Here 'j' is assigned from rs->rs_rx_trace[i] and in-turn from
trace.rx_trace_pos[i] in rds_recv_track_latency(),
with both arrays sized 3 (RDS_MSG_RX_DGRAM_TRACE_MAX). So fix the
off-by-one bounds check in rds_recv_track_latency() to prevent
a potential crash in rds_cmsg_recv().

Found by syzcaller:
=================================================================
UBSAN: array-index-out-of-bounds in net/rds/recv.c:585:39
index 4 is out of range for type 'u64 [4]'
CPU: 1 PID: 8058 Comm: syz-executor228 Not tainted 6.6.0-gd2f51b3516da #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348
 rds_cmsg_recv+0x60d/0x700 net/rds/recv.c:585
 rds_recvmsg+0x3fb/0x1610 net/rds/recv.c:716
 sock_recvmsg_nosec net/socket.c:1044 [inline]
 sock_recvmsg+0xe2/0x160 net/socket.c:1066
 __sys_recvfrom+0x1b6/0x2f0 net/socket.c:2246
 __do_sys_recvfrom net/socket.c:2264 [inline]
 __se_sys_recvfrom net/socket.c:2260 [inline]
 __x64_sys_recvfrom+0xe0/0x1b0 net/socket.c:2260
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
==================================================================
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Removed Reference
Linux https://git.kernel.org/stable/c/00d1ee8e1d02194f7b7b433e904e04bbcd2cc0dc

								
						
Removed Reference
Linux https://git.kernel.org/stable/c/0b787c2dea15e7a2828fa3a74a5447df4ed57711

								
						
Removed Reference
Linux https://git.kernel.org/stable/c/13e788deb7348cc88df34bed736c3b3b9927ea52

								
						
Removed Reference
Linux https://git.kernel.org/stable/c/344350bfa3b4b37d7c3d5a00536e6fbf0e953fbf

								
						
Removed Reference
Linux https://git.kernel.org/stable/c/5ae8d50044633306ff160fcf7faa24994175efe1

								
						
Removed Reference
Linux https://git.kernel.org/stable/c/71024928b3f71ce4529426f8692943205c58d30b

								
						
Removed Reference
Linux https://git.kernel.org/stable/c/7a73190ea557e7f26914b0fe04c1f57a96cb771f

								
						
Removed Reference
Linux https://git.kernel.org/stable/c/a37ae111db5e0f7e3d6b692056c30e3e0f6f79cd

								
						

CVE Rejected by kernel.org 3/12/2024 10:15:07 AM

Action Type Old Value New Value