5.5

CVE-2024-26851

netfilter: nf_conntrack_h323: Add protection for bmp length out of range

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_h323: Add protection for bmp length out of range

UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts
that are out of bounds for their data type.

vmlinux   get_bitmap(b=75) + 712
<net/netfilter/nf_conntrack_h323_asn1.c:0>
vmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956
<net/netfilter/nf_conntrack_h323_asn1.c:592>
vmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216
<net/netfilter/nf_conntrack_h323_asn1.c:814>
vmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812
<net/netfilter/nf_conntrack_h323_asn1.c:576>
vmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216
<net/netfilter/nf_conntrack_h323_asn1.c:814>
vmlinux   DecodeRasMessage() + 304
<net/netfilter/nf_conntrack_h323_asn1.c:833>
vmlinux   ras_help() + 684
<net/netfilter/nf_conntrack_h323_main.c:1728>
vmlinux   nf_confirm() + 188
<net/netfilter/nf_conntrack_proto.c:137>

Due to abnormal data in skb->data, the extension bitmap length
exceeds 32 when decoding ras message then uses the length to make
a shift operation. It will change into negative after several loop.
UBSAN load could detect a negative shift as an undefined behaviour
and reports exception.
So we add the protection to avoid the length exceeding 32. Or else
it will return out of range error and stop decoding.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.17 < 4.19.310
LinuxLinux Kernel Version >= 4.20 < 5.4.272
LinuxLinux Kernel Version >= 5.5 < 5.10.213
LinuxLinux Kernel Version >= 5.11 < 5.15.152
LinuxLinux Kernel Version >= 5.16 < 6.1.82
LinuxLinux Kernel Version >= 6.2 < 6.6.22
LinuxLinux Kernel Version >= 6.7 < 6.7.10
LinuxLinux Kernel Version6.8 Updaterc1
LinuxLinux Kernel Version6.8 Updaterc2
LinuxLinux Kernel Version6.8 Updaterc3
LinuxLinux Kernel Version6.8 Updaterc4
LinuxLinux Kernel Version6.8 Updaterc5
LinuxLinux Kernel Version6.8 Updaterc6
DebianDebian Linux Version10.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.148
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
Mailing List
https://git.kernel.org/stable/c/014a807f1cc9c9d5173c1cd935835553b00d211c
Patch
https://git.kernel.org/stable/c/39001e3c42000e7c2038717af0d33c32319ad591
Patch
https://git.kernel.org/stable/c/4bafcc43baf7bcf93566394dbd15726b5b456b7a
Patch
https://git.kernel.org/stable/c/767146637efc528b5e3d31297df115e85a2fd362
Patch
https://git.kernel.org/stable/c/80ee5054435a11c87c9a4f30f1ff750080c96416
Patch
https://git.kernel.org/stable/c/98db42191329c679f4ca52bec0b319689e1ad8cb
Patch
https://git.kernel.org/stable/c/b3c0f553820516ad4b62a9390ecd28d6f73a7b13
Patch
https://git.kernel.org/stable/c/ccd1108b16ab572d9bf635586b0925635dbd6bbc
Patch
https://cert-portal.siemens.com/productcert/html/ssa-265688.html