| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024111904-CVE-2024-50299-795d@gregkh>
Date: Tue, 19 Nov 2024 02:32:54 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-50299: sctp: properly validate chunk size in sctp_sf_ootb()
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
sctp: properly validate chunk size in sctp_sf_ootb()
A size validation fix similar to that in Commit 50619dbf8db7 ("sctp: add
size validation when walking chunks") is also required in sctp_sf_ootb()
to address a crash reported by syzbot:
BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243
sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233
The Linux kernel CVE team has assigned CVE-2024-50299 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 4.19.324 with commit 67b9a278b80f
Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 5.4.286 with commit 9b5d42aeaf1a
Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 5.10.230 with commit 40b283ba7666
Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 5.15.172 with commit a758aa6a773b
Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 6.1.117 with commit bf9bff13225b
Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 6.6.61 with commit d3fb3cc83cf3
Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 6.11.8 with commit 8820d2d6589f
Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 6.12 with commit 0ead60804b64
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-50299
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/sctp/sm_statefuns.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/67b9a278b80f71ec62091ded97c6bcbea33b5ec3
https://git.kernel.org/stable/c/9b5d42aeaf1a52f73b003a33da6deef7df34685f
https://git.kernel.org/stable/c/40b283ba76665437bc2ac72079c51b57b25bff9e
https://git.kernel.org/stable/c/a758aa6a773bb872196bcc3173171ef8996bddf0
https://git.kernel.org/stable/c/bf9bff13225baf5f658577f7d985fc4933d79527
https://git.kernel.org/stable/c/d3fb3cc83cf313e4f87063ce0f3fea76b071567b
https://git.kernel.org/stable/c/8820d2d6589f62ee5514793fff9b50c9f8101182
https://git.kernel.org/stable/c/0ead60804b64f5bd6999eec88e503c6a1a242d41
Powered by blists - more mailing lists