* Re: CVE-2024-49995: tipc: guard against string buffer overrun [not found] <2024102138-CVE-2024-49995-ec59@gregkh> @ 2025-04-24 6:11 ` Harshit Mogalapalli 2025-04-24 7:30 ` Simon Horman 2025-04-24 8:17 ` Dan Carpenter 0 siblings, 2 replies; 5+ messages in thread From: Harshit Mogalapalli @ 2025-04-24 6:11 UTC (permalink / raw) To: cve, linux-kernel, linux-cve-announce, Simon Horman, Dan Carpenter Cc: Greg Kroah-Hartman Hi, On 21/10/24 23:33, Greg Kroah-Hartman wrote: > Description > =========== > > In the Linux kernel, the following vulnerability has been resolved: > > tipc: guard against string buffer overrun > > Smatch reports that copying media_name and if_name to name_parts may > overwrite the destination. > > .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) > .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) > > This does seem to be the case so guard against this possibility by using > strscpy() and failing if truncation occurs. > > Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge") > > Compile tested only. > > The Linux kernel CVE team has assigned CVE-2024-49995 to this issue. > > Looking at the fix commit with more lines around the fix: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6555a2a9212be6983d2319d65276484f7c5f431a&context=30 /* validate component parts of bearer name */ if ((media_len <= 1) || (media_len > TIPC_MAX_MEDIA_NAME) || (if_len <= 1) || (if_len > TIPC_MAX_IF_NAME)) return 0; /* return bearer name components, if necessary */ if (name_parts) { - strcpy(name_parts->media_name, media_name); - strcpy(name_parts->if_name, if_name); + if (strscpy(name_parts->media_name, media_name, + TIPC_MAX_MEDIA_NAME) < 0) + return 0; + if (strscpy(name_parts->if_name, if_name, + TIPC_MAX_IF_NAME) < 0) + return 0; } return 1; both media_len and if_len have validation checks above the if(name_parts) check. So I think this patch just silences the static checker warnings. Simon/Dan , could you please help confirming that ? Thanks, Harshit > Affected and fixed versions > =========================== > > Fixed in 5.10.227 with commit e2b2558971e0 > Fixed in 5.15.168 with commit 54dae0e9063e > Fixed in 6.1.113 with commit 80c0be7bcf94 > Fixed in 6.6.55 with commit 12d26aa7fd3c > Fixed in 6.10.14 with commit 2ed7f42dfd3e > Fixed in 6.11.3 with commit a18c7b239d02 > Fixed in 6.12-rc1 with commit 6555a2a9212b > > Please see https://www.kernel.org for a full list of currently supported > kernel versions by the kernel community. > > Unaffected versions might change over time as fixes are backported to > older supported kernel versions. The official CVE entry at > https://cve.org/CVERecord/?id=CVE-2024-49995 > will be updated if fixes are backported, please check that for the most > up to date information about this issue. > > > Affected files > ============== > > The file(s) affected by this issue are: > net/tipc/bearer.c > > > Mitigation > ========== > > The Linux kernel CVE team recommends that you update to the latest > stable kernel version for this, and many other bugfixes. Individual > changes are never tested alone, but rather are part of a larger kernel > release. Cherry-picking individual commits is not recommended or > supported by the Linux kernel community at all. If however, updating to > the latest release is impossible, the individual changes to resolve this > issue can be found at these commits: > https://git.kernel.org/stable/c/e2b2558971e02ca33eb637a8350d68a48b3e8e46 > https://git.kernel.org/stable/c/54dae0e9063ed23c9acf8d5ab9b18d3426a8ac18 > https://git.kernel.org/stable/c/80c0be7bcf940ce9308311575c3aff8983c9b97a > https://git.kernel.org/stable/c/12d26aa7fd3cbdbc5149b6e516563478d575026e > https://git.kernel.org/stable/c/2ed7f42dfd3edb387034128ca5b0f639836d4ddd > https://git.kernel.org/stable/c/a18c7b239d02aafb791ae2c45226f6bb40641792 > https://git.kernel.org/stable/c/6555a2a9212be6983d2319d65276484f7c5f431a ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CVE-2024-49995: tipc: guard against string buffer overrun 2025-04-24 6:11 ` CVE-2024-49995: tipc: guard against string buffer overrun Harshit Mogalapalli @ 2025-04-24 7:30 ` Simon Horman 2025-04-24 8:17 ` Dan Carpenter 1 sibling, 0 replies; 5+ messages in thread From: Simon Horman @ 2025-04-24 7:30 UTC (permalink / raw) To: Harshit Mogalapalli Cc: cve, linux-kernel, linux-cve-announce, Dan Carpenter, Greg Kroah-Hartman, netdev - me at corigine.com + netdev On Thu, Apr 24, 2025 at 11:41:01AM +0530, Harshit Mogalapalli wrote: > Hi, > > On 21/10/24 23:33, Greg Kroah-Hartman wrote: > > Description > > =========== > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > tipc: guard against string buffer overrun > > > > Smatch reports that copying media_name and if_name to name_parts may > > overwrite the destination. > > > > .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) > > .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) > > > > This does seem to be the case so guard against this possibility by using > > strscpy() and failing if truncation occurs. > > > > Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge") > > > > Compile tested only. > > > > The Linux kernel CVE team has assigned CVE-2024-49995 to this issue. > > > > > > Looking at the fix commit with more lines around the fix: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6555a2a9212be6983d2319d65276484f7c5f431a&context=30 > > > /* validate component parts of bearer name */ > if ((media_len <= 1) || (media_len > TIPC_MAX_MEDIA_NAME) || > (if_len <= 1) || (if_len > TIPC_MAX_IF_NAME)) > return 0; > > /* return bearer name components, if necessary */ > if (name_parts) { > - strcpy(name_parts->media_name, media_name); > - strcpy(name_parts->if_name, if_name); > + if (strscpy(name_parts->media_name, media_name, > + TIPC_MAX_MEDIA_NAME) < 0) > + return 0; > + if (strscpy(name_parts->if_name, if_name, > + TIPC_MAX_IF_NAME) < 0) > + return 0; > } > return 1; > > > > both media_len and if_len have validation checks above the if(name_parts) > check. So I think this patch just silences the static checker warnings. > > Simon/Dan , could you please help confirming that ? Thanks Harshit, Looking over this with fresh eyes this morning I agree with your analysis. I can't be sure what I was thinking regarding this being a bug when I posted the patch in August. But that it was for net-next, rather than net, and had no Fixes tag, indicates that I did not feel that it was a bug fix at the time. https://lore.kernel.org/netdev/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org/ In any case, I don't think it is a bug fix now. > > Thanks, > Harshit > > > Affected and fixed versions > > =========================== > > > > Fixed in 5.10.227 with commit e2b2558971e0 > > Fixed in 5.15.168 with commit 54dae0e9063e > > Fixed in 6.1.113 with commit 80c0be7bcf94 > > Fixed in 6.6.55 with commit 12d26aa7fd3c > > Fixed in 6.10.14 with commit 2ed7f42dfd3e > > Fixed in 6.11.3 with commit a18c7b239d02 > > Fixed in 6.12-rc1 with commit 6555a2a9212b > > > > Please see https://www.kernel.org for a full list of currently supported > > kernel versions by the kernel community. > > > > Unaffected versions might change over time as fixes are backported to > > older supported kernel versions. The official CVE entry at > > https://cve.org/CVERecord/?id=CVE-2024-49995 > > will be updated if fixes are backported, please check that for the most > > up to date information about this issue. > > > > > > Affected files > > ============== > > > > The file(s) affected by this issue are: > > net/tipc/bearer.c > > > > > > Mitigation > > ========== > > > > The Linux kernel CVE team recommends that you update to the latest > > stable kernel version for this, and many other bugfixes. Individual > > changes are never tested alone, but rather are part of a larger kernel > > release. Cherry-picking individual commits is not recommended or > > supported by the Linux kernel community at all. If however, updating to > > the latest release is impossible, the individual changes to resolve this > > issue can be found at these commits: > > https://git.kernel.org/stable/c/e2b2558971e02ca33eb637a8350d68a48b3e8e46 > > https://git.kernel.org/stable/c/54dae0e9063ed23c9acf8d5ab9b18d3426a8ac18 > > https://git.kernel.org/stable/c/80c0be7bcf940ce9308311575c3aff8983c9b97a > > https://git.kernel.org/stable/c/12d26aa7fd3cbdbc5149b6e516563478d575026e > > https://git.kernel.org/stable/c/2ed7f42dfd3edb387034128ca5b0f639836d4ddd > > https://git.kernel.org/stable/c/a18c7b239d02aafb791ae2c45226f6bb40641792 > > https://git.kernel.org/stable/c/6555a2a9212be6983d2319d65276484f7c5f431a > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CVE-2024-49995: tipc: guard against string buffer overrun 2025-04-24 6:11 ` CVE-2024-49995: tipc: guard against string buffer overrun Harshit Mogalapalli 2025-04-24 7:30 ` Simon Horman @ 2025-04-24 8:17 ` Dan Carpenter 2025-04-24 8:45 ` Harshit Mogalapalli 1 sibling, 1 reply; 5+ messages in thread From: Dan Carpenter @ 2025-04-24 8:17 UTC (permalink / raw) To: Harshit Mogalapalli Cc: cve, linux-kernel, linux-cve-announce, Simon Horman, Dan Carpenter, Greg Kroah-Hartman On Thu, Apr 24, 2025 at 11:41:01AM +0530, Harshit Mogalapalli wrote: > Hi, > > On 21/10/24 23:33, Greg Kroah-Hartman wrote: > > Description > > =========== > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > tipc: guard against string buffer overrun > > > > Smatch reports that copying media_name and if_name to name_parts may > > overwrite the destination. > > > > .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) > > .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) > > > > This does seem to be the case so guard against this possibility by using > > strscpy() and failing if truncation occurs. > > > > Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge") > > > > Compile tested only. > > > > The Linux kernel CVE team has assigned CVE-2024-49995 to this issue. > > > > > > Looking at the fix commit with more lines around the fix: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6555a2a9212be6983d2319d65276484f7c5f431a&context=30 > > > /* validate component parts of bearer name */ > if ((media_len <= 1) || (media_len > TIPC_MAX_MEDIA_NAME) || > (if_len <= 1) || (if_len > TIPC_MAX_IF_NAME)) > return 0; > > /* return bearer name components, if necessary */ > if (name_parts) { > - strcpy(name_parts->media_name, media_name); > - strcpy(name_parts->if_name, if_name); > + if (strscpy(name_parts->media_name, media_name, > + TIPC_MAX_MEDIA_NAME) < 0) > + return 0; > + if (strscpy(name_parts->if_name, if_name, > + TIPC_MAX_IF_NAME) < 0) > + return 0; > } > return 1; > > > > both media_len and if_len have validation checks above the if(name_parts) > check. So I think this patch just silences the static checker warnings. > > Simon/Dan , could you please help confirming that ? Correct. The "validate component parts of bearer name" checks are sufficient. This will not affect runtime. regards, dan carpenter ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CVE-2024-49995: tipc: guard against string buffer overrun 2025-04-24 8:17 ` Dan Carpenter @ 2025-04-24 8:45 ` Harshit Mogalapalli 2025-04-24 13:44 ` Greg Kroah-Hartman 0 siblings, 1 reply; 5+ messages in thread From: Harshit Mogalapalli @ 2025-04-24 8:45 UTC (permalink / raw) To: Dan Carpenter, Simon Horman, Greg Kroah-Hartman Cc: cve, linux-kernel, linux-cve-announce, Simon Horman, Dan Carpenter, netdev Hi, On 24/04/25 13:47, Dan Carpenter wrote: > On Thu, Apr 24, 2025 at 11:41:01AM +0530, Harshit Mogalapalli wrote: ... >> >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6555a2a9212be6983d2319d65276484f7c5f431a&context=30 >> >> >> /* validate component parts of bearer name */ >> if ((media_len <= 1) || (media_len > TIPC_MAX_MEDIA_NAME) || >> (if_len <= 1) || (if_len > TIPC_MAX_IF_NAME)) >> return 0; >> >> /* return bearer name components, if necessary */ >> if (name_parts) { >> - strcpy(name_parts->media_name, media_name); >> - strcpy(name_parts->if_name, if_name); >> + if (strscpy(name_parts->media_name, media_name, >> + TIPC_MAX_MEDIA_NAME) < 0) >> + return 0; >> + if (strscpy(name_parts->if_name, if_name, >> + TIPC_MAX_IF_NAME) < 0) >> + return 0; >> } >> return 1; >> >> >> >> both media_len and if_len have validation checks above the if(name_parts) >> check. So I think this patch just silences the static checker warnings. >> >> Simon/Dan , could you please help confirming that ? > > Correct. The "validate component parts of bearer name" checks are > sufficient. This will not affect runtime. > Thanks a lot Dan and Simon for confirming this. Greg: Should we get this CVE-2024-49995 revoked ? Regards, Harshit > regards, > dan carpenter > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CVE-2024-49995: tipc: guard against string buffer overrun 2025-04-24 8:45 ` Harshit Mogalapalli @ 2025-04-24 13:44 ` Greg Kroah-Hartman 0 siblings, 0 replies; 5+ messages in thread From: Greg Kroah-Hartman @ 2025-04-24 13:44 UTC (permalink / raw) To: Harshit Mogalapalli Cc: Dan Carpenter, Simon Horman, cve, linux-kernel, linux-cve-announce, Simon Horman, Dan Carpenter, netdev On Thu, Apr 24, 2025 at 02:15:43PM +0530, Harshit Mogalapalli wrote: > Hi, > > > On 24/04/25 13:47, Dan Carpenter wrote: > > On Thu, Apr 24, 2025 at 11:41:01AM +0530, Harshit Mogalapalli wrote: > ... > > > > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6555a2a9212be6983d2319d65276484f7c5f431a&context=30 > > > > > > > > > /* validate component parts of bearer name */ > > > if ((media_len <= 1) || (media_len > TIPC_MAX_MEDIA_NAME) || > > > (if_len <= 1) || (if_len > TIPC_MAX_IF_NAME)) > > > return 0; > > > > > > /* return bearer name components, if necessary */ > > > if (name_parts) { > > > - strcpy(name_parts->media_name, media_name); > > > - strcpy(name_parts->if_name, if_name); > > > + if (strscpy(name_parts->media_name, media_name, > > > + TIPC_MAX_MEDIA_NAME) < 0) > > > + return 0; > > > + if (strscpy(name_parts->if_name, if_name, > > > + TIPC_MAX_IF_NAME) < 0) > > > + return 0; > > > } > > > return 1; > > > > > > > > > > > > both media_len and if_len have validation checks above the if(name_parts) > > > check. So I think this patch just silences the static checker warnings. > > > > > > Simon/Dan , could you please help confirming that ? > > > > Correct. The "validate component parts of bearer name" checks are > > sufficient. This will not affect runtime. > > > > Thanks a lot Dan and Simon for confirming this. > > Greg: Should we get this CVE-2024-49995 revoked ? Yup, now rejected, thanks for the review! greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-04-24 13:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <2024102138-CVE-2024-49995-ec59@gregkh>
2025-04-24 6:11 ` CVE-2024-49995: tipc: guard against string buffer overrun Harshit Mogalapalli
2025-04-24 7:30 ` Simon Horman
2025-04-24 8:17 ` Dan Carpenter
2025-04-24 8:45 ` Harshit Mogalapalli
2025-04-24 13:44 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox