You are viewing this page in an unauthorized frame window.
This is a potential security issue, you are being redirected to
https://nvd.nist.gov
An official website of the United States government
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
This CVE has been marked Rejected in the CVE List. These CVEs are stored in the NVD, but do not show up in search results by default.
Description
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Metrics
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to [email protected].
Title: kernel de Linux
Description: En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: skbuff: agregar verificación de depuración de desbordamiento a los asistentes de extracción/empuje syzbot logró activar el siguiente símbolo: BUG: KASAN: use after free en __skb_flow_dissect+0x4a3b/0x5e50 Lectura de tamaño 1 en la dirección ffff888208a4000e por tarea a.out/2313 [..] __skb_flow_dissect+0x4a3b/0x5e50 __skb_get_hash+0xb4/0x400 ip_tunnel_xmit+0x77e/0x26f0 ipip_tunnel_xmit+0x298/0x410 .. El análisis muestra que el skb tiene un ->head válido, pero falso ->puntero de datos. skb->data obtiene su valor falso a través de la capa vecina, que hace: 1556 __skb_pull(skb, skb_network_offset(skb)); ... y el skb ya era dudoso en este punto: skb_network_offset(skb) devuelve un valor negativo debido a un desbordamiento anterior de skb->network_header (u16). __skb_pull por lo tanto "ajusta" los datos skb-> con un desplazamiento enorme, apuntando fuera del área principal de skb->. Permitir que las compilaciones de depuración se ejecuten cuando intentamos extraer/enviar más de INT_MAX bytes. Después de esto, el reproductor syzkaller produce un sonido más preciso antes de que el disector de flujo intente leer skb->memoria de datos: ADVERTENCIA: CPU: 5 PID: 2313 en include/linux/skbuff.h:2653 neigh_connected_output+0x28e/0x400 ip_finish_output2+ 0xb25/0xed0 iptunnel_xmit+0x4ff/0x870 ipgre_xmit+0x78e/0xbb0
CVE Modified by kernel.org6/04/2024 9:15:52 AM
Action
Type
Old Value
New Value
Changed
Description
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: add overflow debug check to pull/push helpers
syzbot managed to trigger following splat:
BUG: KASAN: use-after-free in __skb_flow_dissect+0x4a3b/0x5e50
Read of size 1 at addr ffff888208a4000e by task a.out/2313
[..]
__skb_flow_dissect+0x4a3b/0x5e50
__skb_get_hash+0xb4/0x400
ip_tunnel_xmit+0x77e/0x26f0
ipip_tunnel_xmit+0x298/0x410
..
Analysis shows that the skb has a valid ->head, but bogus ->data
pointer.
skb->data gets its bogus value via the neigh layer, which does:
1556 __skb_pull(skb, skb_network_offset(skb));
... and the skb was already dodgy at this point:
skb_network_offset(skb) returns a negative value due to an
earlier overflow of skb->network_header (u16). __skb_pull thus
"adjusts" skb->data by a huge offset, pointing outside skb->head
area.
Allow debug builds to splat when we try to pull/push more than
INT_MAX bytes.
After this, the syzkaller reproducer yields a more precise splat
before the flow dissector attempts to read off skb->data memory:
WARNING: CPU: 5 PID: 2313 at include/linux/skbuff.h:2653 neigh_connected_output+0x28e/0x400
ip_finish_output2+0xb25/0xed0
iptunnel_xmit+0x4ff/0x870
ipgre_xmit+0x78e/0xbb0
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
New CVE Received from kernel.org5/19/2024 7:15:49 AM
Action
Type
Old Value
New Value
Added
Description
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: add overflow debug check to pull/push helpers
syzbot managed to trigger following splat:
BUG: KASAN: use-after-free in __skb_flow_dissect+0x4a3b/0x5e50
Read of size 1 at addr ffff888208a4000e by task a.out/2313
[..]
__skb_flow_dissect+0x4a3b/0x5e50
__skb_get_hash+0xb4/0x400
ip_tunnel_xmit+0x77e/0x26f0
ipip_tunnel_xmit+0x298/0x410
..
Analysis shows that the skb has a valid ->head, but bogus ->data
pointer.
skb->data gets its bogus value via the neigh layer, which does:
1556 __skb_pull(skb, skb_network_offset(skb));
... and the skb was already dodgy at this point:
skb_network_offset(skb) returns a negative value due to an
earlier overflow of skb->network_header (u16). __skb_pull thus
"adjusts" skb->data by a huge offset, pointing outside skb->head
area.
Allow debug builds to splat when we try to pull/push more than
INT_MAX bytes.
After this, the syzkaller reproducer yields a more precise splat
before the flow dissector attempts to read off skb->data memory:
WARNING: CPU: 5 PID: 2313 at include/linux/skbuff.h:2653 neigh_connected_output+0x28e/0x400
ip_finish_output2+0xb25/0xed0
iptunnel_xmit+0x4ff/0x870
ipgre_xmit+0x78e/0xbb0
) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
