{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-46744", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-09-11T15:12:18.266Z", "datePublished": "2024-09-18T07:12:04.975Z", "dateUpdated": "2024-09-18T07:12:04.975Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-09-18T07:12:04.975Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: sanity check symbolic link size\n\nSyzkiller reports a \"KMSAN: uninit-value in pick_link\" bug.\n\nThis is caused by an uninitialised page, which is ultimately caused\nby a corrupted symbolic link size read from disk.\n\nThe reason why the corrupted symlink size causes an uninitialised\npage is due to the following sequence of events:\n\n1. squashfs_read_inode() is called to read the symbolic\n link from disk. This assigns the corrupted value\n 3875536935 to inode->i_size.\n\n2. Later squashfs_symlink_read_folio() is called, which assigns\n this corrupted value to the length variable, which being a\n signed int, overflows producing a negative number.\n\n3. The following loop that fills in the page contents checks that\n the copied bytes is less than length, which being negative means\n the loop is skipped, producing an uninitialised page.\n\nThis patch adds a sanity check which checks that the symbolic\nlink size is not larger than expected.\n\n--\n\nV2: fix spelling mistake."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/squashfs/inode.c"], "versions": [{"version": "1da177e4c3f4", "lessThan": "f82cb7f24032", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "1b9451ba6f21", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "5c8906de98d0", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "087f25b2d36a", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "fac5e82ab133", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "c3af7e460a52", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "ef4e249971eb", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "810ee43d9cd2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/squashfs/inode.c"], "versions": [{"version": "4.19.322", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.4.284", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.10.226", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.167", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.110", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.51", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10.10", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.11", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/f82cb7f24032ed023fc67d26ea9bf322d8431a90"}, {"url": "https://git.kernel.org/stable/c/1b9451ba6f21478a75288ea3e3fca4be35e2a438"}, {"url": "https://git.kernel.org/stable/c/5c8906de98d0d7ad42ff3edf2cb6cd7e0ea658c4"}, {"url": "https://git.kernel.org/stable/c/087f25b2d36adae19951114ffcbb7106ed405ebb"}, {"url": "https://git.kernel.org/stable/c/fac5e82ab1334fc8ed6ff7183702df634bd1d93d"}, {"url": "https://git.kernel.org/stable/c/c3af7e460a526007e4bed1ce3623274a1a6afe5e"}, {"url": "https://git.kernel.org/stable/c/ef4e249971eb77ec33d74c5c3de1e2576faf6c90"}, {"url": "https://git.kernel.org/stable/c/810ee43d9cd245d138a2733d87a24858a23f577d"}], "title": "Squashfs: sanity check symbolic link size", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: sanity check symbolic link size\n\nSyzkiller reports a \"KMSAN: uninit-value in pick_link\" bug.\n\nThis is caused by an uninitialised page, which is ultimately caused\nby a corrupted symbolic link size read from disk.\n\nThe reason why the corrupted symlink size causes an uninitialised\npage is due to the following sequence of events:\n\n1. squashfs_read_inode() is called to read the symbolic\n link from disk. This assigns the corrupted value\n 3875536935 to inode->i_size.\n\n2. Later squashfs_symlink_read_folio() is called, which assigns\n this corrupted value to the length variable, which being a\n signed int, overflows producing a negative number.\n\n3. The following loop that fills in the page contents checks that\n the copied bytes is less than length, which being negative means\n the loop is skipped, producing an uninitialised page.\n\nThis patch adds a sanity check which checks that the symbolic\nlink size is not larger than expected.\n\n--\n\nV2: fix spelling mistake."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Squashfs: comprobaci\u00f3n de la integridad del tama\u00f1o del enlace simb\u00f3lico Syzkiller informa de un error \"KMSAN: uninit-value in pick_link\". Esto se debe a una p\u00e1gina no inicializada, que en \u00faltima instancia se debe a un tama\u00f1o de enlace simb\u00f3lico da\u00f1ado le\u00eddo desde el disco. La raz\u00f3n por la que el tama\u00f1o de enlace simb\u00f3lico da\u00f1ado provoca una p\u00e1gina no inicializada se debe a la siguiente secuencia de eventos: 1. Se llama a squashfs_read_inode() para leer el enlace simb\u00f3lico desde el disco. Esto asigna el valor da\u00f1ado 3875536935 a inode->i_size. 2. M\u00e1s tarde se llama a squashfs_symlink_read_folio(), que asigna este valor da\u00f1ado a la variable length, que, al ser un int con signo, se desborda produciendo un n\u00famero negativo. 3. El siguiente bucle que rellena el contenido de la p\u00e1gina comprueba que los bytes copiados sean menores que length, que, al ser negativo, significa que se omite el bucle, lo que produce una p\u00e1gina no inicializada. Este parche agrega una verificaci\u00f3n de cordura que verifica que el tama\u00f1o del enlace simb\u00f3lico no sea mayor al esperado. -- V2: corrige error ortogr\u00e1fico."}], "id": "CVE-2024-46744", "lastModified": "2024-09-20T12:30:51.220", "metrics": {}, "published": "2024-09-18T08:15:03.603", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/087f25b2d36adae19951114ffcbb7106ed405ebb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1b9451ba6f21478a75288ea3e3fca4be35e2a438"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5c8906de98d0d7ad42ff3edf2cb6cd7e0ea658c4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/810ee43d9cd245d138a2733d87a24858a23f577d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c3af7e460a526007e4bed1ce3623274a1a6afe5e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ef4e249971eb77ec33d74c5c3de1e2576faf6c90"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f82cb7f24032ed023fc67d26ea9bf322d8431a90"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fac5e82ab1334fc8ed6ff7183702df634bd1d93d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: Squashfs: sanity check symbolic link size", "id": "2313092", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313092"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nSquashfs: sanity check symbolic link size\nSyzkiller reports a \"KMSAN: uninit-value in pick_link\" bug.\nThis is caused by an uninitialised page, which is ultimately caused\nby a corrupted symbolic link size read from disk.\nThe reason why the corrupted symlink size causes an uninitialised\npage is due to the following sequence of events:\n1. squashfs_read_inode() is called to read the symbolic\nlink from disk. This assigns the corrupted value\n3875536935 to inode->i_size.\n2. Later squashfs_symlink_read_folio() is called, which assigns\nthis corrupted value to the length variable, which being a\nsigned int, overflows producing a negative number.\n3. The following loop that fills in the page contents checks that\nthe copied bytes is less than length, which being negative means\nthe loop is skipped, producing an uninitialised page.\nThis patch adds a sanity check which checks that the symbolic\nlink size is not larger than expected.\n--\nV2: fix spelling mistake."], "name": "CVE-2024-46744", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-09-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-46744\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-46744\nhttps://lore.kernel.org/linux-cve-announce/2024091836-CVE-2024-46744-451f@gregkh/T"], "threat_severity": "Moderate"}