5.5

CVE-2024-35944

VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

In the Linux kernel, the following vulnerability has been resolved:

VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

Syzkaller hit 'WARNING in dg_dispatch_as_host' bug.

memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"
at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)

WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237

Some code commentry, based on my understanding:

544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)
/// This is 24 + payload_size

memcpy(&dg_info->msg, dg, dg_size);
	Destination = dg_info->msg ---> this is a 24 byte
					structure(struct vmci_datagram)
	Source = dg --> this is a 24 byte structure (struct vmci_datagram)
	Size = dg_size = 24 + payload_size

{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.

 35 struct delayed_datagram_info {
 36         struct datagram_entry *entry;
 37         struct work_struct work;
 38         bool in_dg_host_queue;
 39         /* msg and msg_payload must be together. */
 40         struct vmci_datagram msg;
 41         u8 msg_payload[];
 42 };

So those extra bytes of payload are copied into msg_payload[], a run time
warning is seen while fuzzing with Syzkaller.

One possible way to fix the warning is to split the memcpy() into
two parts -- one -- direct assignment of msg and second taking care of payload.

Gustavo quoted:
"Under FORTIFY_SOURCE we should not copy data across multiple members
in a structure."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version < 4.19.312
LinuxLinux Kernel Version >= 4.20 < 5.4.274
LinuxLinux Kernel Version >= 5.5 < 5.10.215
LinuxLinux Kernel Version >= 5.11 < 5.15.155
LinuxLinux Kernel Version >= 5.16 < 6.1.86
LinuxLinux Kernel Version >= 6.2 < 6.6.27
LinuxLinux Kernel Version >= 6.7 < 6.8.6
DebianDebian Linux Version10.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.23% 0.138
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Third Party Advisory
Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
Third Party Advisory
Mailing List
https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74
Patch
https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec
Patch
https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f
Patch
https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100
Patch
https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73
Patch
https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051
Patch
https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b
Patch
https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75
Patch
https://cert-portal.siemens.com/productcert/html/ssa-398330.html
https://cert-portal.siemens.com/productcert/html/ssa-265688.html