CVE-2024-50142 Information

Nov 08, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

xfrm: validate new SA’s prefixlen using SA family when sel.family is unset

This expands the validation introduced in commit 07bf7908950a (rm: Validate address prefix lengths in the xfrm selector.)

syzbot created an SA with usersa.sel.family = AF_UNSPEC usersa.sel.prefixlen_s = 128 usersa.family = AF_INET

Because of the AF_UNSPEC selector verify_newsa_info doesn’t put limits on prefixlen_sd. But then copy_from_user_state sets x->sel.family to usersa.family (AF_INET). Do the same conversion in verify_newsa_info before validating prefixlen_sd since that’s how prefixlen is going to be used later on.

Reference

https://git.kernel.org/stable/c/2d08a6c31c65f23db71a5385ee9cf9d8f9a67a71 https://git.kernel.org/stable/c/bce1afaa212ec380bf971614f70909a27882b862 https://git.kernel.org/stable/c/7d9868180bd1e4cf37e7c5067362658971162366 https://git.kernel.org/stable/c/e68dd80ba498265d2266b12dc3459164f4ff0c4a https://git.kernel.org/stable/c/3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563

Share on: