Bug 2305428 (CVE-2024-42283) - CVE-2024-42283 kernel: net: nexthop: Initialize all fields in dumped nexthops
Summary: CVE-2024-42283 kernel: net: nexthop: Initialize all fields in dumped nexthops
Keywords:
Status: NEW
Alias: CVE-2024-42283
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2305806
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-08-17 09:21 UTC by OSIDB Bzimport
Modified: 2024-11-21 12:19 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:10161 0 None None None 2024-11-21 12:19:24 UTC
Red Hat Product Errata RHSA-2024:9605 0 None None None 2024-11-14 00:18:02 UTC

Description OSIDB Bzimport 2024-08-17 09:21:44 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: nexthop: Initialize all fields in dumped nexthops

struct nexthop_grp contains two reserved fields that are not initialized by
nla_put_nh_group(), and carry garbage. This can be observed e.g. with
strace (edited for clarity):

    # ip nexthop add id 1 dev lo
    # ip nexthop add id 101 group 1
    # strace -e recvmsg ip nexthop get id 101
    ...
    recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},
                 [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52

The fields are reserved and therefore not currently used. But as they are, they
leak kernel memory, and the fact they are not just zero complicates repurposing
of the fields for new ends. Initialize the full structure.
Comment 1 errata-xmlrpc 2024-11-14 00:18:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9605 https://access.redhat.com/errata/RHSA-2024:9605
Note You need to log in before you can comment on or make changes to this bug.