-
CVE-2024-35944
- EPSS 0.06%
- Veröffentlicht 19.05.2024 11:15:50
- Zuletzt bearbeitet 21.11.2024 09:21:15
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- Teams Watchlist Login
- Unerledigt Login
In the Linux kernel, the following vulnerability has been resolved:
VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
Syzkaller hit 'WARNING in dg_dispatch_as_host' bug.
memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"
at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)
WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237
Some code commentry, based on my understanding:
544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)
/// This is 24 + payload_size
memcpy(&dg_info->msg, dg, dg_size);
Destination = dg_info->msg ---> this is a 24 byte
structure(struct vmci_datagram)
Source = dg --> this is a 24 byte structure (struct vmci_datagram)
Size = dg_size = 24 + payload_size
{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.
35 struct delayed_datagram_info {
36 struct datagram_entry *entry;
37 struct work_struct work;
38 bool in_dg_host_queue;
39 /* msg and msg_payload must be together. */
40 struct vmci_datagram msg;
41 u8 msg_payload[];
42 };
So those extra bytes of payload are copied into msg_payload[], a run time
warning is seen while fuzzing with Syzkaller.
One possible way to fix the warning is to split the memcpy() into
two parts -- one -- direct assignment of msg and second taking care of payload.
Gustavo quoted:
"Under FORTIFY_SOURCE we should not copy data across multiple members
in a structure."Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version <
e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
f15eca95138b3d4ec17b63c3c1937b0aa0d3624b
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
130b0cd064874e0d0f58e18fb00e6f3993e90c74
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
feacd430b42bbfa9ab3ed9e4f38b86c43e348c75
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
dae70a57565686f16089737adb8ac64471570f73
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
491a1eb07c2bd8841d63cb5263455e185be5866f
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
19b070fefd0d024af3daa7329cbc0d00de5302ec
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version <=
4.19.*
Version
4.19.312
Status
unaffected
Version <=
5.4.*
Version
5.4.274
Status
unaffected
Version <=
5.10.*
Version
5.10.215
Status
unaffected
Version <=
5.15.*
Version
5.15.155
Status
unaffected
Version <=
6.1.*
Version
6.1.86
Status
unaffected
Version <=
6.6.*
Version
6.6.27
Status
unaffected
Version <=
6.8.*
Version
6.8.6
Status
unaffected
Version <=
*
Version
6.9
Status
unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.06% | 0.183 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|