CVE-2024-50142

Summary

In the Linux kernel, the following vulnerability has been resolved:

xfrm: validate new SA's prefixlen using SA family when sel.family is unset

This expands the validation introduced in commit 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.")

syzbot created an SA with usersa.sel.family = AF_UNSPEC usersa.sel.prefixlen_s = 128 usersa.family = AF_INET

Because of the AF_UNSPEC selector, verify_newsa_info doesn't put limits on prefixlen_{s,d}. But then copy_from_user_state sets x->sel.family to usersa.family (AF_INET). Do the same conversion in verify_newsa_info before validating prefixlen_{s,d}, since that's how prefixlen is going to be used later on.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < f31398570acf0f0804c644006f7bfa9067106b0aaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 401ad99a5ae7180dd9449eac104cb755f442e7f3affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 8df5cd51fd70c33aa1776e5cbcd82b0a86649d73affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2d08a6c31c65f23db71a5385ee9cf9d8f9a67a71affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < bce1afaa212ec380bf971614f70909a27882b862affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 7d9868180bd1e4cf37e7c5067362658971162366affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < e68dd80ba498265d2266b12dc3459164f4ff0c4aaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563affected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux4.19.323 <= 4.19.*unaffected
LinuxLinux5.4.285 <= 5.4.*unaffected
LinuxLinux5.10.229 <= 5.10.*unaffected
LinuxLinux5.15.170 <= 5.15.*unaffected
LinuxLinux6.1.115 <= 6.1.*unaffected
LinuxLinux6.6.59 <= 6.6.*unaffected
LinuxLinux6.11.6 <= 6.11.*unaffected
LinuxLinux6.12 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

Additional References

References