In the Linux kernel, the following vulnerability has been resolved:
arp: Prevent overflow in arp_req_get().
syzkaller reported an overflown write in arp_req_get(). [0]
When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour
entry and copies neigh->ha to struct arpreq.arp_ha.sa_data.
The arp_ha here is struct sockaddr, not struct sockaddr_storage, so
the sa_data buffer is just 14 bytes.
In the splat below, 2 bytes are overflown to the next int field,
arp_flags. We initialise the field just after the memcpy(), so it's
not a problem.
However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),
arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)
in arp_ioctl() before calling arp_req_get().
To avoid the overflow, let's limit the max length of memcpy().
Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible
array in struct sockaddr") just silenced syzkaller.
[0]:
memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14)
WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
Modules linked in:
CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6
RSP: 0018:ffffc900050b7998 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001
RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000
R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010
FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261
inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981
sock_do_ioctl+0xdf/0x260 net/socket.c:1204
sock_ioctl+0x3ef/0x650 net/socket.c:1321
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x64/0xce
RIP: 0033:0x7f172b262b8d
Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d
RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003
RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000
</TASK>
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Debian |
|
| Linux |
|
| Netapp |
|
| Redhat |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
Configuration 3 [-]
| AND |
|
Configuration 4 [-]
| AND |
|
Configuration 5 [-]
| AND |
|
Configuration 6 [-]
| AND |
|
Configuration 7 [-]
| AND |
|
Configuration 8 [-]
| AND |
|
Configuration 9 [-]
| AND |
|
Configuration 10 [-]
| AND |
|
Configuration 11 [-]
| AND |
|
Configuration 12 [-]
| AND |
|
Configuration 13 [-]
| AND |
|
Configuration 14 [-]
| AND |
|
Configuration 15 [-]
| AND |
|
Configuration 16 [-]
| AND |
|
Configuration 17 [-]
| AND |
|
Configuration 18 [-]
| AND |
|
Configuration 19 [-]
| AND |
|
Configuration 20 [-]
| AND |
|
Configuration 21 [-]
| AND |
|
Configuration 22 [-]
| AND |
|
Configuration 23 [-]
| AND |
|
Configuration 24 [-]
| AND |
|
Configuration 25 [-]
| AND |
|
Configuration 26 [-]
| AND |
|
Configuration 27 [-]
| AND |
|
Configuration 28 [-]
| AND |
|
Configuration 29 [-]
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | |||
| kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10 | cpe:/a:redhat:enterprise_linux:8::nfv | RHSA-2024:5102 | 2024-08-08T00:00:00Z |
| kernel-0:4.18.0-553.16.1.el8_10 | cpe:/o:redhat:enterprise_linux:8 | RHSA-2024:5101 | 2024-08-08T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | |||
| kernel-0:4.18.0-372.113.1.el8_6 | cpe:/o:redhat:rhel_aus:8.6 | RHSA-2024:4902 | 2024-07-29T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | |||
| kernel-0:4.18.0-372.113.1.el8_6 | cpe:/o:redhat:rhel_tus:8.6 | RHSA-2024:4902 | 2024-07-29T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | |||
| kernel-0:4.18.0-372.113.1.el8_6 | cpe:/o:redhat:rhel_e4s:8.6 | RHSA-2024:4902 | 2024-07-29T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Extended Update Support | |||
| kernel-0:4.18.0-477.67.1.el8_8 | cpe:/o:redhat:rhel_eus:8.8 | RHSA-2024:5255 | 2024-08-13T00:00:00Z |
| Red Hat Enterprise Linux 9 | |||
| kernel-0:5.14.0-503.11.1.el9_5 | cpe:/a:redhat:enterprise_linux:9 | RHSA-2024:9315 | 2024-11-12T00:00:00Z |
| kernel-0:5.14.0-503.11.1.el9_5 | cpe:/o:redhat:enterprise_linux:9 | RHSA-2024:9315 | 2024-11-12T00:00:00Z |
| Red Hat Enterprise Linux 9.4 Extended Update Support | |||
| kernel-0:5.14.0-427.61.1.el9_4 | cpe:/a:redhat:rhel_eus:9.4 | RHSA-2025:3215 | 2025-03-26T00:00:00Z |
References
History
Wed, 26 Mar 2025 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:/a:redhat:rhel_eus:9.4 |
Mon, 17 Mar 2025 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Debian
Debian debian Linux Linux Linux linux Kernel Netapp Netapp 8200 Netapp 8200 Firmware Netapp 8300 Netapp 8300 Firmware Netapp 8700 Netapp 8700 Firmware Netapp 9000 Netapp 9000 Firmware Netapp 9500 Netapp 9500 Firmware Netapp a150 Netapp a150 Firmware Netapp a1k Netapp a1k Firmware Netapp a220 Netapp a220 Firmware Netapp a300 Netapp a300 Firmware Netapp a320 Netapp a320 Firmware Netapp a400 Netapp a400 Firmware Netapp a70 Netapp a700 Netapp a700 Firmware Netapp a700s Netapp a700s Firmware Netapp a70 Firmware Netapp a800 Netapp a800 Firmware Netapp a90 Netapp a900 Netapp a900 Firmware Netapp a90 Firmware Netapp c190 Netapp c190 Firmware Netapp c400 Netapp c400 Firmware Netapp c800 Netapp c800 Firmware Netapp e-series Santricity Os Controller Netapp fas2720 Netapp fas2720 Firmware Netapp fas2750 Netapp fas2750 Firmware Netapp fas2820 Netapp fas2820 Firmware Netapp h610c Netapp h610c Firmware Netapp h610s Netapp h610s Firmware Netapp h615c Netapp h615c Firmware |
|
| Weaknesses | CWE-787 | |
| CPEs | cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:8200:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:8300:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:8700:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:9000:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:9500:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:a150:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:a1k:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:a220:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:a300:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:a320:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:a400:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:a700:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:a700s:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:a70:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:a800:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:a900:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:a90:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:c190:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:c400:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:c800:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:fas2720:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:fas2750:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:fas2820:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:h610c:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:h610s:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:h615c:*:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:5.10.211:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:* cpe:2.3:o:netapp:8200_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:8300_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:8700_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:9000_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:9500_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:a150_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:a1k_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:a220_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:a300_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:a320_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:a400_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:a700_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:a700s_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:a70_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:a800_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:a900_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:a90_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:c190_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:c400_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:c800_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:fas2720_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:fas2750_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:fas2820_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h610c_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h610s_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h615c_firmware:-:*:*:*:*:*:*:* |
|
| Vendors & Products |
Debian
Debian debian Linux Linux Linux linux Kernel Netapp Netapp 8200 Netapp 8200 Firmware Netapp 8300 Netapp 8300 Firmware Netapp 8700 Netapp 8700 Firmware Netapp 9000 Netapp 9000 Firmware Netapp 9500 Netapp 9500 Firmware Netapp a150 Netapp a150 Firmware Netapp a1k Netapp a1k Firmware Netapp a220 Netapp a220 Firmware Netapp a300 Netapp a300 Firmware Netapp a320 Netapp a320 Firmware Netapp a400 Netapp a400 Firmware Netapp a70 Netapp a700 Netapp a700 Firmware Netapp a700s Netapp a700s Firmware Netapp a70 Firmware Netapp a800 Netapp a800 Firmware Netapp a90 Netapp a900 Netapp a900 Firmware Netapp a90 Firmware Netapp c190 Netapp c190 Firmware Netapp c400 Netapp c400 Firmware Netapp c800 Netapp c800 Firmware Netapp e-series Santricity Os Controller Netapp fas2720 Netapp fas2720 Firmware Netapp fas2750 Netapp fas2750 Firmware Netapp fas2820 Netapp fas2820 Firmware Netapp h610c Netapp h610c Firmware Netapp h610s Netapp h610s Firmware Netapp h615c Netapp h615c Firmware |
Fri, 22 Nov 2024 12:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
Wed, 13 Nov 2024 02:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:9 |
Tue, 05 Nov 2024 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
Wed, 11 Sep 2024 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 13 Aug 2024 23:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Redhat rhel Eus
|
|
| CPEs | cpe:/o:redhat:rhel_eus:8.8 | |
| Vendors & Products |
Redhat rhel Eus
|
Thu, 08 Aug 2024 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Redhat enterprise Linux
|
|
| CPEs | cpe:/a:redhat:enterprise_linux:8::nfv cpe:/o:redhat:enterprise_linux:8 |
|
| Vendors & Products |
Redhat enterprise Linux
|
MITRE
Status: PUBLISHED
Assigner: Linux
Published:
Updated: 2024-12-19T08:46:05.705Z
Reserved: 2024-02-19T14:20:24.165Z
Link: CVE-2024-26733
Vulnrichment
Updated: 2024-11-01T17:03:11.240Z
NVD
Status : Analyzed
Published: 2024-04-03T17:15:51.040
Modified: 2025-03-17T16:02:47.887
Link: CVE-2024-26733
Redhat