CVE-2024-38538

CVSS v3.1 7.1 (High)
71% Progress
EPSS 0.04 % (5th)
0.04% Progress
Affected Products 1
Advisories 11
NVD Status Analyzed

In the Linux kernel, the following vulnerability has been resolved:

net: bridge: xmit: make sure we have at least eth header len bytes

syzbot triggered an uninit value[1] error in bridge device's xmit path
by sending a short (less than ETH_HLEN bytes) skb. To fix it check if
we can actually pull that amount instead of assuming.

Tested with dropwatch:
drop at: br_dev_xmit+0xb93/0x12d0 bridge
origin: software
timestamp: Mon May 13 11:31:53 2024 778214037 nsec
protocol: 0x88a8
length: 2
original length: 2
drop reason: PKT_TOO_SMALL

[1]
BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
__netdev_start_xmit include/linux/netdevice.h:4903 [inline]
netdev_start_xmit include/linux/netdevice.h:4917 [inline]
xmit_one net/core/dev.c:3531 [inline]
dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547
__dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341
dev_queue_xmit include/linux/netdevice.h:3091 [inline]
__bpf_tx_skb net/core/filter.c:2136 [inline]
__bpf_redirect_common net/core/filter.c:2180 [inline]
__bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187
____bpf_clone_redirect net/core/filter.c:2460 [inline]
bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432
___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
__bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
__bpf_prog_run include/linux/filter.h:657 [inline]
bpf_prog_run include/linux/filter.h:664 [inline]
bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425
bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058
bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269
__sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678
__do_sys_bpf kernel/bpf/syscall.c:5767 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5765 [inline]
__x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765
x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Weaknesses
CWE-908
Use of Uninitialized Resource
CVE Status
PUBLISHED
NVD Status
Analyzed
CNA
kernel.org
Published Date
2024-06-19 14:15:14
(2 months ago)
Updated Date
2024-08-29 02:26:05
(2 weeks ago)

Affected Products

Loading...
Loading...

Configuration #1

    CPE23 From Up To
  Linux Kernel from 2.6.12 version and prior 6.1.93 version cpe:2.3:o:linux:linux_kernel >= 2.6.12 < 6.1.93
  Linux Kernel from 6.2 version and prior 6.6.33 version cpe:2.3:o:linux:linux_kernel >= 6.2 < 6.6.33
  Linux Kernel from 6.7 version and prior 6.8.12 version cpe:2.3:o:linux:linux_kernel >= 6.7 < 6.8.12
  Linux Kernel from 6.9 version and prior 6.9.3 version cpe:2.3:o:linux:linux_kernel >= 6.9 < 6.9.3
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...