{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-44999", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-08-21T05:34:56.672Z", "datePublished": "2024-09-04T19:54:43.601Z", "dateUpdated": "2024-11-05T09:43:47.491Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:43:47.491Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: pull network headers in gtp_dev_xmit()\n\nsyzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1]\n\nWe must make sure the IPv4 or Ipv6 header is pulled in skb->head\nbefore accessing fields in them.\n\nUse pskb_inet_may_pull() to fix this issue.\n\n[1]\nBUG: KMSAN: uninit-value in ipv6_pdp_find drivers/net/gtp.c:220 [inline]\n BUG: KMSAN: uninit-value in gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]\n BUG: KMSAN: uninit-value in gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281\n ipv6_pdp_find drivers/net/gtp.c:220 [inline]\n gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]\n gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281\n __netdev_start_xmit include/linux/netdevice.h:4913 [inline]\n netdev_start_xmit include/linux/netdevice.h:4922 [inline]\n xmit_one net/core/dev.c:3580 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596\n __dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423\n dev_queue_xmit include/linux/netdevice.h:3105 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3145 [inline]\n packet_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2204\n __do_sys_sendto net/socket.c:2216 [inline]\n __se_sys_sendto net/socket.c:2212 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212\n x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3994 [inline]\n slab_alloc_node mm/slub.c:4037 [inline]\n kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583\n __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674\n alloc_skb include/linux/skbuff.h:1320 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815\n packet_alloc_skb net/packet/af_packet.c:2994 [inline]\n packet_snd net/packet/af_packet.c:3088 [inline]\n packet_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2204\n __do_sys_sendto net/socket.c:2216 [inline]\n __se_sys_sendto net/socket.c:2212 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212\n x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 Not tainted 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/gtp.c"], "versions": [{"version": "459aa660eb1d", "lessThan": "3d89d0c4a1c6", "status": "affected", "versionType": "git"}, {"version": "459aa660eb1d", "lessThan": "f5dda8db382c", "status": "affected", "versionType": "git"}, {"version": "459aa660eb1d", "lessThan": "cbb9a969fc19", "status": "affected", "versionType": "git"}, {"version": "459aa660eb1d", "lessThan": "1f6b62392453", "status": "affected", "versionType": "git"}, {"version": "459aa660eb1d", "lessThan": "137d565ab89c", "status": "affected", "versionType": "git"}, {"version": "459aa660eb1d", "lessThan": "34ba4f29f3d9", "status": "affected", "versionType": "git"}, {"version": "459aa660eb1d", "lessThan": "3939d787139e", "status": "affected", "versionType": "git"}, {"version": "459aa660eb1d", "lessThan": "3a3be7ff9224", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/gtp.c"], "versions": [{"version": "4.7", "status": "affected"}, {"version": "0", "lessThan": "4.7", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.321", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.283", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.225", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.166", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.107", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.48", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10.7", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/3d89d0c4a1c6d4d2a755e826351b0a101dbc86f3"}, {"url": "https://git.kernel.org/stable/c/f5dda8db382c5751c4e572afc7c99df7da1f83ca"}, {"url": "https://git.kernel.org/stable/c/cbb9a969fc190e85195d1b0f08038e7f6199044e"}, {"url": "https://git.kernel.org/stable/c/1f6b62392453d8f36685d19b761307a8c5617ac1"}, {"url": "https://git.kernel.org/stable/c/137d565ab89ce3584503b443bc9e00d44f482593"}, {"url": "https://git.kernel.org/stable/c/34ba4f29f3d9eb52dee37512059efb2afd7e966f"}, {"url": "https://git.kernel.org/stable/c/3939d787139e359b77aaf9485d1e145d6713d7b9"}, {"url": "https://git.kernel.org/stable/c/3a3be7ff9224f424e485287b54be00d2c6bd9c40"}], "title": "gtp: pull network headers in gtp_dev_xmit()", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-04T20:18:58.731411Z", "id": "CVE-2024-44999", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T20:19:12.864Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-44999", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-04T20:18:58.731411Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T20:19:02.428Z"}}], "cna": {"title": "gtp: pull network headers in gtp_dev_xmit()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "459aa660eb1d", "lessThan": "3d89d0c4a1c6", "versionType": "git"}, {"status": "affected", "version": "459aa660eb1d", "lessThan": "f5dda8db382c", "versionType": "git"}, {"status": "affected", "version": "459aa660eb1d", "lessThan": "cbb9a969fc19", "versionType": "git"}, {"status": "affected", "version": "459aa660eb1d", "lessThan": "1f6b62392453", "versionType": "git"}, {"status": "affected", "version": "459aa660eb1d", "lessThan": "137d565ab89c", "versionType": "git"}, {"status": "affected", "version": "459aa660eb1d", "lessThan": "34ba4f29f3d9", "versionType": "git"}, {"status": "affected", "version": "459aa660eb1d", "lessThan": "3939d787139e", "versionType": "git"}, {"status": "affected", "version": "459aa660eb1d", "lessThan": "3a3be7ff9224", "versionType": "git"}], "programFiles": ["drivers/net/gtp.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.7"}, {"status": "unaffected", "version": "0", "lessThan": "4.7", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.321", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.283", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.225", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.166", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.107", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.48", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.10.7", "versionType": "semver", "lessThanOrEqual": "6.10.*"}, {"status": "unaffected", "version": "6.11", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/gtp.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/3d89d0c4a1c6d4d2a755e826351b0a101dbc86f3"}, {"url": "https://git.kernel.org/stable/c/f5dda8db382c5751c4e572afc7c99df7da1f83ca"}, {"url": "https://git.kernel.org/stable/c/cbb9a969fc190e85195d1b0f08038e7f6199044e"}, {"url": "https://git.kernel.org/stable/c/1f6b62392453d8f36685d19b761307a8c5617ac1"}, {"url": "https://git.kernel.org/stable/c/137d565ab89ce3584503b443bc9e00d44f482593"}, {"url": "https://git.kernel.org/stable/c/34ba4f29f3d9eb52dee37512059efb2afd7e966f"}, {"url": "https://git.kernel.org/stable/c/3939d787139e359b77aaf9485d1e145d6713d7b9"}, {"url": "https://git.kernel.org/stable/c/3a3be7ff9224f424e485287b54be00d2c6bd9c40"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: pull network headers in gtp_dev_xmit()\n\nsyzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1]\n\nWe must make sure the IPv4 or Ipv6 header is pulled in skb->head\nbefore accessing fields in them.\n\nUse pskb_inet_may_pull() to fix this issue.\n\n[1]\nBUG: KMSAN: uninit-value in ipv6_pdp_find drivers/net/gtp.c:220 [inline]\n BUG: KMSAN: uninit-value in gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]\n BUG: KMSAN: uninit-value in gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281\n ipv6_pdp_find drivers/net/gtp.c:220 [inline]\n gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]\n gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281\n __netdev_start_xmit include/linux/netdevice.h:4913 [inline]\n netdev_start_xmit include/linux/netdevice.h:4922 [inline]\n xmit_one net/core/dev.c:3580 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596\n __dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423\n dev_queue_xmit include/linux/netdevice.h:3105 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3145 [inline]\n packet_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2204\n __do_sys_sendto net/socket.c:2216 [inline]\n __se_sys_sendto net/socket.c:2212 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212\n x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3994 [inline]\n slab_alloc_node mm/slub.c:4037 [inline]\n kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583\n __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674\n alloc_skb include/linux/skbuff.h:1320 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815\n packet_alloc_skb net/packet/af_packet.c:2994 [inline]\n packet_snd net/packet/af_packet.c:3088 [inline]\n packet_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2204\n __do_sys_sendto net/socket.c:2216 [inline]\n __se_sys_sendto net/socket.c:2212 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212\n x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 Not tainted 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:43:47.491Z"}}}, "cveMetadata": {"cveId": "CVE-2024-44999", "state": "PUBLISHED", "dateUpdated": "2024-11-05T09:43:47.491Z", "dateReserved": "2024-08-21T05:34:56.672Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-09-04T19:54:43.601Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2182122C-2D3A-4507-B128-955820A30780", "versionEndExcluding": "4.19.321", "versionStartIncluding": "4.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E6B390A-0CE6-44FC-8CD5-BE8226D6D24C", "versionEndExcluding": "5.4.283", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57B46A9-B105-4792-8481-1870DEFB436A", "versionEndExcluding": "5.10.225", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "913ED6CD-8ACF-48AF-AA18-7880881DD402", "versionEndExcluding": "5.15.166", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "53954FF8-CB48-4302-BC4C-9DA7A88F44A2", "versionEndExcluding": "6.1.107", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9DE9201A-CE6B-4726-BABB-8265EA0F8AE4", "versionEndExcluding": "6.6.48", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2AFDFD1-D95A-4EB7-843B-5E7659518B67", "versionEndExcluding": "6.10.7", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*", "matchCriteriaId": "8B3CE743-2126-47A3-8B7C-822B502CF119", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*", "matchCriteriaId": "4DEB27E7-30AA-45CC-8934-B89263EF3551", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*", "matchCriteriaId": "E0005AEF-856E-47EB-BFE4-90C46899394D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: pull network headers in gtp_dev_xmit()\n\nsyzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1]\n\nWe must make sure the IPv4 or Ipv6 header is pulled in skb->head\nbefore accessing fields in them.\n\nUse pskb_inet_may_pull() to fix this issue.\n\n[1]\nBUG: KMSAN: uninit-value in ipv6_pdp_find drivers/net/gtp.c:220 [inline]\n BUG: KMSAN: uninit-value in gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]\n BUG: KMSAN: uninit-value in gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281\n ipv6_pdp_find drivers/net/gtp.c:220 [inline]\n gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]\n gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281\n __netdev_start_xmit include/linux/netdevice.h:4913 [inline]\n netdev_start_xmit include/linux/netdevice.h:4922 [inline]\n xmit_one net/core/dev.c:3580 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596\n __dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423\n dev_queue_xmit include/linux/netdevice.h:3105 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3145 [inline]\n packet_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2204\n __do_sys_sendto net/socket.c:2216 [inline]\n __se_sys_sendto net/socket.c:2212 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212\n x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3994 [inline]\n slab_alloc_node mm/slub.c:4037 [inline]\n kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583\n __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674\n alloc_skb include/linux/skbuff.h:1320 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815\n packet_alloc_skb net/packet/af_packet.c:2994 [inline]\n packet_snd net/packet/af_packet.c:3088 [inline]\n packet_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2204\n __do_sys_sendto net/socket.c:2216 [inline]\n __se_sys_sendto net/socket.c:2212 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212\n x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 Not tainted 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: gtp: extraer encabezados de red en gtp_dev_xmit() syzbot/KMSAN inform\u00f3 del uso de uninit-value en get_dev_xmit() [1] Debemos asegurarnos de que el encabezado IPv4 o Ipv6 se extraiga en skb->head antes de acceder a los campos que contienen. Utilice pskb_inet_may_pull() para solucionar este problema. [1] ERROR: KMSAN: valor no inicializado en ipv6_pdp_find drivers/net/gtp.c:220 [en l\u00ednea] ERROR: KMSAN: valor no inicializado en gtp_build_skb_ip6 drivers/net/gtp.c:1229 [en l\u00ednea] ERROR: KMSAN: valor no inicializado en gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281 ipv6_pdp_find drivers/net/gtp.c:220 [en l\u00ednea] gtp_build_skb_ip6 drivers/net/gtp.c:1229 [en l\u00ednea] gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281 __netdev_start_xmit incluir/linux/netdevice.h:4913 [en l\u00ednea] netdev_start_xmit incluir/linux/netdevice.h:4922 [en l\u00ednea] xmit_one net/core/dev.c:3580 [en l\u00ednea] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596 __dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423 dev_queue_xmit incluir/linux/netdevice.h:3105 [en l\u00ednea] paquete_xmit+0x9c/0x6c0 net/paquete/af_packet.c:276 paquete_snd net/paquete/af_packet.c:3145 [en l\u00ednea] paquete_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177 sock_sendmsg_nosec net/socket.c:730 [en l\u00ednea] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2204 __do_sys_sendto net/socket.c:2216 [en l\u00ednea] __se_sys_sendto net/socket.c:2212 [en l\u00ednea] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212 x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit se cre\u00f3 en: slab_post_alloc_hook mm/slub.c:3994 [en l\u00ednea] slab_alloc_node mm/slub.c:4037 [en l\u00ednea] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674 alloc_skb include/linux/skbuff.h:1320 [en l\u00ednea] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815 packet_alloc_skb net/packet/af_packet.c:2994 [en l\u00ednea] packet_snd net/packet/af_packet.c:3088 [en l\u00ednea] packet_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177 sock_sendmsg_nosec net/socket.c:730 [en l\u00ednea] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 red/socket.c:2204 __do_sys_sendto red/socket.c:2216 [en l\u00ednea] __se_sys_sendto red/socket.c:2212 [en l\u00ednea] __x64_sys_sendto+0x125/0x1d0 red/socket.c:2212 x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 No contaminado 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 27/06/2024"}], "id": "CVE-2024-44999", "lastModified": "2024-09-06T16:27:51.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-09-04T20:15:08.590", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/137d565ab89ce3584503b443bc9e00d44f482593"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f6b62392453d8f36685d19b761307a8c5617ac1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/34ba4f29f3d9eb52dee37512059efb2afd7e966f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3939d787139e359b77aaf9485d1e145d6713d7b9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3a3be7ff9224f424e485287b54be00d2c6bd9c40"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3d89d0c4a1c6d4d2a755e826351b0a101dbc86f3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cbb9a969fc190e85195d1b0f08038e7f6199044e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f5dda8db382c5751c4e572afc7c99df7da1f83ca"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: gtp: pull network headers in gtp_dev_xmit()", "id": "2309862", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309862"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ngtp: pull network headers in gtp_dev_xmit()\nsyzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1]\nWe must make sure the IPv4 or Ipv6 header is pulled in skb->head\nbefore accessing fields in them.\nUse pskb_inet_may_pull() to fix this issue.\n[1]\nBUG: KMSAN: uninit-value in ipv6_pdp_find drivers/net/gtp.c:220 [inline]\nBUG: KMSAN: uninit-value in gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]\nBUG: KMSAN: uninit-value in gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281\nipv6_pdp_find drivers/net/gtp.c:220 [inline]\ngtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]\ngtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281\n__netdev_start_xmit include/linux/netdevice.h:4913 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4922 [inline]\nxmit_one net/core/dev.c:3580 [inline]\ndev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596\n__dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423\ndev_queue_xmit include/linux/netdevice.h:3105 [inline]\npacket_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3145 [inline]\npacket_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0x30f/0x380 net/socket.c:745\n__sys_sendto+0x685/0x830 net/socket.c:2204\n__do_sys_sendto net/socket.c:2216 [inline]\n__se_sys_sendto net/socket.c:2212 [inline]\n__x64_sys_sendto+0x125/0x1d0 net/socket.c:2212\nx64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nUninit was created at:\nslab_post_alloc_hook mm/slub.c:3994 [inline]\nslab_alloc_node mm/slub.c:4037 [inline]\nkmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080\nkmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583\n__alloc_skb+0x363/0x7b0 net/core/skbuff.c:674\nalloc_skb include/linux/skbuff.h:1320 [inline]\nalloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526\nsock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815\npacket_alloc_skb net/packet/af_packet.c:2994 [inline]\npacket_snd net/packet/af_packet.c:3088 [inline]\npacket_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0x30f/0x380 net/socket.c:745\n__sys_sendto+0x685/0x830 net/socket.c:2204\n__do_sys_sendto net/socket.c:2216 [inline]\n__se_sys_sendto net/socket.c:2212 [inline]\n__x64_sys_sendto+0x125/0x1d0 net/socket.c:2212\nx64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nCPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 Not tainted 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024", "A use-after-free vulnerability was found in the Linux kernel's GPRS Tunneling Protocol ( GTP ) driver, specifically in the gtp_dev_xmit() function. This issue is due to the IPv4 or IPv6 headers not being properly pulled into the skb->head before being accessed. This led to the use of uninitialized values, as reported by Kernel Memory Sanitizer (KMSAN)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-44999", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-09-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-44999\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-44999\nhttps://lore.kernel.org/linux-cve-announce/2024090449-CVE-2024-44999-187d@gregkh/T"], "statement": "This issue is classified as Moderate severity rather than Important due to the specific nature of the uninitialized value problem. The vulnerability involves the potential use of uninitialized memory in network header fields, which, while potentially exposing sensitive data or causing erratic behavior, generally requires a specific set of conditions to be exploited. The `pskb_inet_may_pull()` function addresses this by ensuring that necessary headers are correctly initialized before use.", "threat_severity": "Moderate"}