Bug 1223053 (CVE-2024-26849)

Summary: VUL-0: CVE-2024-26849: kernel: netlink: read past the malformed (too small) attribute
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Denis Kirjanov <denis.kirjanov>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mhocko, thomas.leroy, vasant.karasulli
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/402354/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26849:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-18 09:33:44 UTC 
In the Linux kernel, the following vulnerability has been resolved:

netlink: add nla be16/32 types to minlen array

BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline]
BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline]
BUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline]
BUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631
 nla_validate_range_unsigned lib/nlattr.c:222 [inline]
 nla_validate_int_range lib/nlattr.c:336 [inline]
 validate_nla lib/nlattr.c:575 [inline]
...

The message in question matches this policy:

 [NFTA_TARGET_REV]       = NLA_POLICY_MAX(NLA_BE32, 255),

but because NLA_BE32 size in minlen array is 0, the validation
code will read past the malformed (too small) attribute.

Note: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing:
those likely should be added too.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26849
https://www.cve.org/CVERecord?id=CVE-2024-26849
https://git.kernel.org/stable/c/0ac219c4c3ab253f3981f346903458d20bacab32
https://git.kernel.org/stable/c/7a9d14c63b35f89563c5ecbadf918ad64979712d
https://git.kernel.org/stable/c/9a0d18853c280f6a0ee99f91619f2442a17a323a
https://git.kernel.org/stable/c/a2ab028151841cd833cb53eb99427e0cc990112d
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-26849.mbox
https://bugzilla.redhat.com/show_bug.cgi?id=2275754