Description

In the Linux kernel, the following vulnerability has been resolved: net: netlink: af_netlink: Prevent empty skb by adding a check on len. Adding a check on len parameter to avoid empty skb. This prevents a division error in netem_enqueue function which is caused when skb->len=0 and skb->data_len=0 in the randomized corruption step as shown below. skb->data[prandom_u32() % skb_headlen(skb)] ^= 1<<(prandom_u32() % 8); Crash Report: [ 343.170349] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 343.216110] netem: version 1.3 [ 343.235841] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 343.236680] CPU: 3 PID: 4288 Comm: reproducer Not tainted 5.16.0-rc1+ [ 343.237569] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 [ 343.238707] RIP: 0010:netem_enqueue+0x1590/0x33c0 [sch_netem] [ 343.239499] Code: 89 85 58 ff ff ff e8 5f 5d e9 d3 48 8b b5 48 ff ff ff 8b 8d 50 ff ff ff 8b 85 58 ff ff ff 48 8b bd 70 ff ff ff 31 d2 2b 4f 74 <f7> f1 48 b8 00 00 00 00 00 fc ff df 49 01 d5 4c 89 e9 48 c1 e9 03 [ 343.241883] RSP: 0018:ffff88800bcd7368 EFLAGS: 00010246 [ 343.242589] RAX: 00000000ba7c0a9c RBX: 0000000000000001 RCX: 0000000000000000 [ 343.243542] RDX: 0000000000000000 RSI: ffff88800f8edb10 RDI: ffff88800f8eda40 [ 343.244474] RBP: ffff88800bcd7458 R08: 0000000000000000 R09: ffffffff94fb8445 [ 343.245403] R10: ffffffff94fb8336 R11: ffffffff94fb8445 R12: 0000000000000000 [ 343.246355] R13: ffff88800a5a7000 R14: ffff88800a5b5800 R15: 0000000000000020 [ 343.247291] FS: 00007fdde2bd7700(0000) GS:ffff888109780000(0000) knlGS:0000000000000000 [ 343.248350] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 343.249120] CR2: 00000000200000c0 CR3: 000000000ef4c000 CR4: 00000000000006e0 [ 343.250076] Call Trace: [ 343.250423] <TASK> [ 343.250713] ? memcpy+0x4d/0x60 [ 343.251162] ? netem_init+0xa0/0xa0 [sch_netem] [ 343.251795] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.252443] netem_enqueue+0xe28/0x33c0 [sch_netem] [ 343.253102] ? stack_trace_save+0x87/0xb0 [ 343.253655] ? filter_irq_stacks+0xb0/0xb0 [ 343.254220] ? netem_init+0xa0/0xa0 [sch_netem] [ 343.254837] ? __kasan_check_write+0x14/0x20 [ 343.255418] ? _raw_spin_lock+0x88/0xd6 [ 343.255953] dev_qdisc_enqueue+0x50/0x180 [ 343.256508] __dev_queue_xmit+0x1a7e/0x3090 [ 343.257083] ? netdev_core_pick_tx+0x300/0x300 [ 343.257690] ? check_kcov_mode+0x10/0x40 [ 343.258219] ? _raw_spin_unlock_irqrestore+0x29/0x40 [ 343.258899] ? __kasan_init_slab_obj+0x24/0x30 [ 343.259529] ? setup_object.isra.71+0x23/0x90 [ 343.260121] ? new_slab+0x26e/0x4b0 [ 343.260609] ? kasan_poison+0x3a/0x50 [ 343.261118] ? kasan_unpoison+0x28/0x50 [ 343.261637] ? __kasan_slab_alloc+0x71/0x90 [ 343.262214] ? memcpy+0x4d/0x60 [ 343.262674] ? write_comp_data+0x2f/0x90 [ 343.263209] ? __kasan_check_write+0x14/0x20 [ 343.263802] ? __skb_clone+0x5d6/0x840 [ 343.264329] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.264958] dev_queue_xmit+0x1c/0x20 [ 343.265470] netlink_deliver_tap+0x652/0x9c0 [ 343.266067] netlink_unicast+0x5a0/0x7f0 [ 343.266608] ? netlink_attachskb+0x860/0x860 [ 343.267183] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.267820] ? write_comp_data+0x2f/0x90 [ 343.268367] netlink_sendmsg+0x922/0xe80 [ 343.268899] ? netlink_unicast+0x7f0/0x7f0 [ 343.269472] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.270099] ? write_comp_data+0x2f/0x90 [ 343.270644] ? netlink_unicast+0x7f0/0x7f0 [ 343.271210] sock_sendmsg+0x155/0x190 [ 343.271721] ____sys_sendmsg+0x75f/0x8f0 [ 343.272262] ? kernel_sendmsg+0x60/0x60 [ 343.272788] ? write_comp_data+0x2f/0x90 [ 343.273332] ? write_comp_data+0x2f/0x90 [ 343.273869] ___sys_sendmsg+0x10f/0x190 [ 343.274405] ? sendmsg_copy_msghdr+0x80/0x80 [ 343.274984] ? slab_post_alloc_hook+0x70/0x230 [ 343.275597] ? futex_wait_setup+0x240/0x240 [ 343.276175] ? security_file_alloc+0x3e/0x170 [ 343.276779] ? write_comp_d ---truncated---

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  5.5 MEDIUM

Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git.kernel.org/stable/c/40cf2e058832d9cfaae98dfd77334926275598b6	Patch
https://git.kernel.org/stable/c/4c986072a8c9249b9398c7a18f216dc26a9f0e35	Patch
https://git.kernel.org/stable/c/54e785f7d5c197bc06dbb8053700df7e2a093ced	Patch
https://git.kernel.org/stable/c/c0315e93552e0d840e9edc6abd71c7db82ec8f51	Patch
https://git.kernel.org/stable/c/c54a60c8fbaa774f828e26df79f66229a8a0e010	Patch
https://git.kernel.org/stable/c/dadce61247c6230489527cc5e343b6002d1114c5	Patch
https://git.kernel.org/stable/c/f123cffdd8fe8ea6c7fded4b88516a42798797d0	Patch
https://git.kernel.org/stable/c/ff3f517bf7138e01a17369042908a3f345c0ee41	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-369	Divide By Zero	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Initial Analysis by NIST 10/31/2024 9:58:05 AM

Action	Type	Old Value	New Value
Added	CPE Configuration		Record truncated, showing 500 of 904 characters. View Entire Change Record OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 4.4.296 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.5 up to (excluding) 4.9.294 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.10 up to (excluding) 4.14.259 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.15 up to (excluding) 4.19.222 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up t
Added	CVSS V3.1		NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Added	CWE		NIST CWE-369
Changed	Reference Type	https://git.kernel.org/stable/c/40cf2e058832d9cfaae98dfd77334926275598b6 No Types Assigned	https://git.kernel.org/stable/c/40cf2e058832d9cfaae98dfd77334926275598b6 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/4c986072a8c9249b9398c7a18f216dc26a9f0e35 No Types Assigned	https://git.kernel.org/stable/c/4c986072a8c9249b9398c7a18f216dc26a9f0e35 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/54e785f7d5c197bc06dbb8053700df7e2a093ced No Types Assigned	https://git.kernel.org/stable/c/54e785f7d5c197bc06dbb8053700df7e2a093ced Patch
Changed	Reference Type	https://git.kernel.org/stable/c/c0315e93552e0d840e9edc6abd71c7db82ec8f51 No Types Assigned	https://git.kernel.org/stable/c/c0315e93552e0d840e9edc6abd71c7db82ec8f51 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/c54a60c8fbaa774f828e26df79f66229a8a0e010 No Types Assigned	https://git.kernel.org/stable/c/c54a60c8fbaa774f828e26df79f66229a8a0e010 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/dadce61247c6230489527cc5e343b6002d1114c5 No Types Assigned	https://git.kernel.org/stable/c/dadce61247c6230489527cc5e343b6002d1114c5 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/f123cffdd8fe8ea6c7fded4b88516a42798797d0 No Types Assigned	https://git.kernel.org/stable/c/f123cffdd8fe8ea6c7fded4b88516a42798797d0 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/ff3f517bf7138e01a17369042908a3f345c0ee41 No Types Assigned	https://git.kernel.org/stable/c/ff3f517bf7138e01a17369042908a3f345c0ee41 Patch

New CVE Received by NIST 6/19/2024 11:15:55 AM

Action	Type	Old Value	New Value
Added	Description		Record truncated, showing 500 of 3998 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: net: netlink: af_netlink: Prevent empty skb by adding a check on len. Adding a check on len parameter to avoid empty skb. This prevents a division error in netem_enqueue function which is caused when skb->len=0 and skb->data_len=0 in the randomized corruption step as shown below. skb->data[prandom_u32() % skb_headlen(skb)] ^= 1<<(prandom_u32() % 8); Crash Report: [ 343.170349] netdevsim netdevsim0 netdevsim3: set [1, 0] typ
Added	Reference		kernel.org https://git.kernel.org/stable/c/40cf2e058832d9cfaae98dfd77334926275598b6 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/4c986072a8c9249b9398c7a18f216dc26a9f0e35 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/54e785f7d5c197bc06dbb8053700df7e2a093ced [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/c0315e93552e0d840e9edc6abd71c7db82ec8f51 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/c54a60c8fbaa774f828e26df79f66229a8a0e010 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/dadce61247c6230489527cc5e343b6002d1114c5 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/f123cffdd8fe8ea6c7fded4b88516a42798797d0 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/ff3f517bf7138e01a17369042908a3f345c0ee41 [No types assigned]