Bug 1225763 (CVE-2024-36935) - VUL-0: CVE-2024-36935: kernel: ice: ensure the copied buf is NUL terminated
Summary: VUL-0: CVE-2024-36935: kernel: ice: ensure the copied buf is NUL terminated
Status: NEW
Alias: CVE-2024-36935
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/408178/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-36935:5.1:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-31 15:56 UTC by SMASH SMASH
Modified: 2024-07-08 15:09 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-05-31 15:56:08 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ice: ensure the copied buf is NUL terminated

Currently, we allocate a count-sized kernel buffer and copy count bytes
from userspace to that buffer. Later, we use sscanf on this buffer but we
don't ensure that the string is terminated inside the buffer, this can lead
to OOB read when using sscanf. Fix this issue by using memdup_user_nul
instead of memdup_user.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-36935
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-36935.mbox
https://git.kernel.org/stable/c/5ff4de981983ed84f29b5d92b6550ec054e12a92
https://git.kernel.org/stable/c/666854ea9cad844f75a068f32812a2d78004914a
https://www.cve.org/CVERecord?id=CVE-2024-36935
Comment 2 Thomas Bogendoerfer 2024-06-19 10:54:48 UTC 
Backported fix to SLE15-SP6