From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 101B63612E for ; Mon, 18 Mar 2024 10:15:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710756913; cv=none; b=tgM0Xu4MCNISoqEvcxK85ANPUFkxMeIATtb2Z4LPcR6sQfamPtAFLzMHBH3ygahogj1B1a66uItE4tyQuzNAGrMCL3159zabA9UsMY4AMTn3ktw0QKgXasI6mkJuYn37dZiweU21w+soAOnbgUsFZJg16HT1x9XQeVO4hhkHgBs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710756913; c=relaxed/simple; bh=U4gkFWUjebCUM/Nm19ryRjUcEKFnDMHVG/1Roi3qH6Y=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=gpv+ngbuAxIh2NlY2i15MkqANU6M6nJ4Y1g/M7b+V+n5jxjECVyMVIikdk8WmQEUOEK4FXX36hBpAXmsSAei8NJnxaume5IRugbdodJohsGMz3GWzKpZ/+P0rdFa0OaBzuxpuqIRQDY8oUUjtyfF2zQ4JMKByBvvJ7v1ViLwfd0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PiCkViLH; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PiCkViLH" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E7710C43390; Mon, 18 Mar 2024 10:15:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1710756912; bh=U4gkFWUjebCUM/Nm19ryRjUcEKFnDMHVG/1Roi3qH6Y=; h=From:To:Cc:Subject:Date:Reply-to:From; b=PiCkViLHaXtqUnSVdrZZlEAabVgm0mt2IGmUtzoJAxuJb7eDc4jDzZIvNVRKPa4D6 FTVaH9NFdxQ79DWFqYOhJ1/u5rnATBpXX1Wnc1uYG1XhTCAA8mSTcDmvUoLzavsnoI jXNZpXnb3P+4rrk+GzJU5bzen5iWhh7GijcvukB/hsWgv5Jklhn8sNauJMl8kQ9D/S yDInRolt6L6UV3pR6St+uDoY7aTGdpZZ858jCxcNzL9yMHbpve9gttoXaiKsaiBkQ2 DAqJZ7jBdAPW/1SE3gHZ07vT0GVEuP97QJpooXPEUQ8RYdJ9jxZCRGTFEwpt6faK8R 3MCnVXR5oRT6g== From: Lee Jones To: linux-cve-announce@vger.kernel.org Cc: Lee Jones Subject: CVE-2024-26638: nbd: always initialize struct msghdr completely Date: Mon, 18 Mar 2024 10:15:06 +0000 Message-ID: <20240318101458.2835626-16-lee@kernel.org> X-Mailer: git-send-email 2.44.0.291.gc1ea87d7ee-goog Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=3318; i=lee@kernel.org; h=from:subject; bh=U4gkFWUjebCUM/Nm19ryRjUcEKFnDMHVG/1Roi3qH6Y=; b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl+BQjzHS0eB88JAYhHyeRuYKpH2CUjQh7n9CYg D2umZNc33mJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZfgUIwAKCRBRr4ovh/x3 YaY+EACNH2oLaLB5ZISdpwWxeoOjndNOL8W/CWFR9qUkuZF4cb+N4k7VSNdD7Tw8uGGYcpKnRk+ 3iPsW6O9nlQzfOcd9cfuDvAr5+B2igseCDtabixZ48/B3ntNi2ZaCqTWzXmEfQgk3MkJPRXCRgo of2F6uILldYGV4F+eeQJHZ+8yDMbxzhjdbeZUORf+TxhZXzRgHF2Q1xjf+BqG01S8a9ogupp28b KTwZAudFuL9qDWou1ecQr8QxisICwL77/Ap9djSBCvgo5sKFNLJWYl5+1dzdngi5ZT02fn1aEtP KnM3FUxAaavXMmXuZ5j+GtkTCBC6z89GEbidsOMke8he3Iwto7ckgJycrR2BUlQxo7+ddIGiw0z WzVGGL9BWlRVE958qsC0eOGL7QObmf4AnAiMu5STmZ3iDRfHBUrmrDgKEfdiK4d0X8O3sBbzJh9 9MhOFERzMQcK8e/3mBJigUxO2uoA96Skku6R7I099pelHiwPcod+BAmgtp4p541C18pnNFHzvNU k2PAMLhwseaT166tFOxXceA7L329IpUW2bvkFo2mtMfsGthL5XhLHkL1RYKIj/OpNjn/8zYBzAG tFokeOBqvY8BNlNT8C8hRY9X0WBFUVNth9XJlTVC2i2NfLb5SYGyyugr8ADq+O5wtm8NXaGcl3z P5PoAaqbeoCE+6Q== X-Developer-Key: i=lee@kernel.org; a=openpgp; fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: nbd: always initialize struct msghdr completely syzbot complains that msg->msg_get_inq value can be uninitialized [1] struct msghdr got many new fields recently, we should always make sure their values is zero by default. [1] BUG: KMSAN: uninit-value in tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 inet_recvmsg+0x131/0x580 net/ipv4/af_inet.c:879 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg+0x12b/0x1e0 net/socket.c:1066 __sock_xmit+0x236/0x5c0 drivers/block/nbd.c:538 nbd_read_reply drivers/block/nbd.c:732 [inline] recv_work+0x262/0x3100 drivers/block/nbd.c:863 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700 worker_thread+0xf45/0x1490 kernel/workqueue.c:2781 kthread+0x3ed/0x540 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 Local variable msg created at: __sock_xmit+0x4c/0x5c0 drivers/block/nbd.c:513 nbd_read_reply drivers/block/nbd.c:732 [inline] recv_work+0x262/0x3100 drivers/block/nbd.c:863 CPU: 1 PID: 7465 Comm: kworker/u5:1 Not tainted 6.7.0-rc7-syzkaller-00041-gf016f7547aee #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Workqueue: nbd5-recv recv_work The Linux kernel CVE team has assigned CVE-2024-26638 to this issue. Affected and fixed versions =========================== Issue introduced in 5.19 with commit f94fd25cb0aa and fixed in 6.1.76 with commit d9c54763e5cd Issue introduced in 5.19 with commit f94fd25cb0aa and fixed in 6.6.15 with commit 1960f2b534da Issue introduced in 5.19 with commit f94fd25cb0aa and fixed in 6.7.3 with commit b0028f333420 Issue introduced in 5.19 with commit f94fd25cb0aa and fixed in 6.8 with commit 78fbb92af27d Please see https://www.kernel.org or a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-26638 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/block/nbd.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/d9c54763e5cdbbd3f81868597fe8aca3c96e6387 https://git.kernel.org/stable/c/1960f2b534da1e6c65fb96f9e98bda773495f406 https://git.kernel.org/stable/c/b0028f333420a65a53a63978522db680b37379dd https://git.kernel.org/stable/c/78fbb92af27d0982634116c7a31065f24d092826