Lucene search

416baaa9-dc9f-4396-8d5f-8c081fb06d67CVE-2024-36016

HistoryMay 29, 2024 - 7:15 p.m.

CVE-2024-36016

2024-05-2919:15:48

CWE-125

416baaa9-dc9f-4396-8d5f-8c081fb06d67

web.nvd.nist.gov

linux kernel

tty

n_gsm

vulnerability

gsm0_receive

buffer overflow

data length

security fix

memory corruption

7.7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.2%

JSON

In the Linux kernel, the following vulnerability has been resolved:

tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

Assuming the following:

side A configures the n_gsm in basic option mode
side B sends the header of a basic option mode frame with data length 1
side A switches to advanced option mode
side B sends 2 data bytes which exceeds gsm->len
Reason: gsm->len is not used in advanced option mode.
side A switches to basic option mode
side B keeps sending until gsm0_receive() writes past gsm->buf
Reason: Neither gsm->state nor gsm->len have been reset after
reconfiguration.

Fix this by changing gsm->count to gsm->len comparison from equal to less
than. Also add upper limit checks against the constant MAX_MRU in
gsm0_receive() and gsm1_receive() to harden against memory corruption of
gsm->len and gsm->mru.

All other checks remain as we still need to limit the data according to the
user configuration and actual payload size.

Affected configurations

Vulners

Node

linuxlinux_kernelRange2.6.35–4.19.316

linuxlinux_kernelRange4.20.0–5.4.278

linuxlinux_kernelRange5.5.0–5.10.219

linuxlinux_kernelRange5.11.0–5.15.161

linuxlinux_kernelRange5.16.0–6.1.93

linuxlinux_kernelRange6.2.0–6.6.33

linuxlinux_kernelRange6.7.0–6.8.12

linuxlinux_kernelRange6.9.0–6.9.3

linuxlinux_kernelRange6.10.0–6.10-rc1

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/tty/n_gsm.c"
    ],
    "versions": [
      {
        "version": "e1eaea46bb40",
        "lessThan": "9513d4148950",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "e1eaea46bb40",
        "lessThan": "b229bc6c6ea9",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "e1eaea46bb40",
        "lessThan": "0fb736c9931e",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "e1eaea46bb40",
        "lessThan": "4c267110fc11",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "e1eaea46bb40",
        "lessThan": "46f52c89a7e7",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "e1eaea46bb40",
        "lessThan": "774d83b008ec",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "e1eaea46bb40",
        "lessThan": "f126ce7305fe",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "e1eaea46bb40",
        "lessThan": "b890d45aaf02",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "e1eaea46bb40",
        "lessThan": "47388e807f85",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/tty/n_gsm.c"
    ],
    "versions": [
      {
        "version": "2.6.35",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "2.6.35",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.316",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.278",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.219",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.161",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.93",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.33",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.12",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9.3",
        "lessThanOrEqual": "6.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10-rc1",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]