In the Linux kernel, the following vulnerability has been resolved:
xfrm: validate new SA's prefixlen using SA family when sel.family is unset
This expands the validation introduced in commit 07bf7908950a ("xfrm:
Validate address prefix lengths in the xfrm selector.")
syzbot created an SA with
usersa.sel.family = AF_UNSPEC
usersa.sel.prefixlen_s = 128
usersa.family = AF_INET
Because of the AF_UNSPEC selector, verify_newsa_info doesn't put
limits on prefixlen_{s,d}. But then copy_from_user_state sets
x->sel.family to usersa.family (AF_INET). Do the same conversion in
verify_newsa_info before validating prefixlen_{s,d}, since that's how
prefixlen is going to be used later on.
References
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2024-11-07 10:15
Updated : 2024-11-22 16:47
NVD link : CVE-2024-50142
Mitre link : CVE-2024-50142
CVE.ORG link : CVE-2024-50142
JSON object : View
Products Affected
linux
- linux_kernel
CWE