In the Linux kernel, the following vulnerability has been resolved: VMCI:
Fix memcpy() run-time warning in dg_dispatch_as_host() Syzkaller hit
‘WARNING in dg_dispatch_as_host’ bug. memcpy: detected field-spanning write
(size 56) of single field “&dg_info->msg” at
drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24) WARNING: CPU: 0 PID:
1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237
Some code commentry, based on my understanding: 544 #define
VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size) ///
This is 24 + payload_size memcpy(&dg_info->msg, dg, dg_size); Destination =
dg_info->msg —> this is a 24 byte structure(struct vmci_datagram) Source
= dg –> this is a 24 byte structure (struct vmci_datagram) Size = dg_size
= 24 + payload_size {payload_size = 56-24 =32} – Syzkaller managed to set
payload_size to 32. 35 struct delayed_datagram_info { 36 struct
datagram_entry entry; 37 struct work_struct work; 38 bool
in_dg_host_queue; 39 / msg and msg_payload must be together. */ 40 struct
vmci_datagram msg; 41 u8 msg_payload[]; 42 }; So those extra bytes of
payload are copied into msg_payload[], a run time warning is seen while
fuzzing with Syzkaller. One possible way to fix the warning is to split the
memcpy() into two parts – one – direct assignment of msg and second
taking care of payload. Gustavo quoted: “Under FORTIFY_SOURCE we should not
copy data across multiple members in a structure.”
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < 5.4.0-189.209 | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-116.126 | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < 6.8.0-38.38 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < 5.4.0-1128.138 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1065.71 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < 6.8.0-1011.12 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1065.71~20.04.1 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws-5.4 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < 5.4.0-1133.140 | UNKNOWN |
git.kernel.org/linus/19b070fefd0d024af3daa7329cbc0d00de5302ec (6.9-rc1)
git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74
git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec
git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f
git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100
git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73
git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051
git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b
git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75
launchpad.net/bugs/cve/CVE-2024-35944
nvd.nist.gov/vuln/detail/CVE-2024-35944
security-tracker.debian.org/tracker/CVE-2024-35944
ubuntu.com/security/notices/USN-6893-1
ubuntu.com/security/notices/USN-6893-2
ubuntu.com/security/notices/USN-6893-3
ubuntu.com/security/notices/USN-6896-1
ubuntu.com/security/notices/USN-6896-2
ubuntu.com/security/notices/USN-6896-3
ubuntu.com/security/notices/USN-6896-4
ubuntu.com/security/notices/USN-6896-5
ubuntu.com/security/notices/USN-6898-1
ubuntu.com/security/notices/USN-6898-2
ubuntu.com/security/notices/USN-6898-3
ubuntu.com/security/notices/USN-6898-4
ubuntu.com/security/notices/USN-6917-1
ubuntu.com/security/notices/USN-6918-1
ubuntu.com/security/notices/USN-6919-1
www.cve.org/CVERecord?id=CVE-2024-35944