arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 "> arp_ha.sa_data",at net/ipv4/arp.c:1128,(size,14),WARNING:,CPU:,0,PID:,144638,at net/ipv4/arp.c:1128,arp_req_get+0x411/0x4a0,net/ipv4/arp.c:1128 Modules,linked,in:,CPU:,0,PID:,144638,Comm:,syz-executor.4,Not,tainted 6.1.74,#31,Hardware,name:,QEMU,Standard,PC,(i440FX,+,PIIX,,1996),,BIOS 1.16.0-debian-1.16.0-5,04/01/2014,RIP:,0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128,Code:,fd,ff,ff,e8,41,42,de,fb,b9,0e,00,00,00,4c,89 fe,48,c7,c2,20,6d,ab,87,48,c7,c7,80,6d,ab,87,c6,05,25,af,72,04,01,e8 5f,8d,ad,fb,<0f>,0b,e9,6c,fd,ff,ff,e8,13,42,de,fb,be,03,00,00,00,4c,89 e7,e8,a6,RSP:,0018:ffffc900050b7998,EFLAGS:,00010286,RAX: 0000000000000000,RBX:,ffff88803a815000,RCX:,0000000000000000,RDX: 0000000000000000,RSI:,ffffffff8641a44a,RDI:,0000000000000001,RBP: ffffc900050b7a98,R08:,0000000000000001,R09:,0000000000000000,R10: 0000000000000000,R11:,203a7970636d656d,R12:,ffff888039c54000,R13: 1ffff92000a16f37,R14:,ffff88803a815084,R15:,0000000000000010,FS: 00007f172bf306c0(0000),GS:ffff88805aa00000(0000) knlGS:0000000000000000,CS:,0010,DS:,0000,ES:,0000,CR0: 0000000080050033,CR2:,00007f172b3569f0,CR3:,0000000057f12005,CR4: 0000000000770ef0,DR0:,0000000000000000,DR1:,0000000000000000,DR2: 0000000000000000,DR3:,0000000000000000,DR6:,00000000fffe0ff0,DR7: 0000000000000400,PKRU:,55555554,Call,Trace:, arp_ioctl+0x33f/0x4b0,net/ipv4/arp.c:1261,inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981,sock_do_ioctl+0xdf/0x260,net/socket.c:1204 sock_ioctl+0x3ef/0x650,net/socket.c:1321,vfs_ioctl,fs/ioctl.c:51 [inline],__do_sys_ioctl,fs/ioctl.c:870,[inline],__se_sys_ioctl fs/ioctl.c:856,[inline],__x64_sys_ioctl+0x18e/0x220,fs/ioctl.c:856 do_syscall_x64,arch/x86/entry/common.c:51,[inline] do_syscall_64+0x37/0x90,arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce,RIP:,0033:0x7f172b262b8d Code:,66,2e,0f,1f,84,00,00,00,00,00,0f,1f,00,f3,0f,1e,fa,48,89,f8,48 89,f7,48,89,d6,48,89,ca,4d,89,c2,4d,89,c8,4c,8b,4c,24,08,0f,05,<48>,3d 01,f0,ff,ff,73,01,c3,48,c7,c1,b8,ff,ff,ff,f7,d8,64,89,01,48,RSP: 002b:00007f172bf300b8,EFLAGS:,00000246,ORIG_RAX:,0000000000000010,RAX: ffffffffffffffda,RBX:,00007f172b3abf80,RCX:,00007f172b262b8d,RDX: 0000000020000000,RSI:,0000000000008954,RDI:,0000000000000003,RBP: 00007f172b2d3493,R08:,0000000000000000,R09:,0000000000000000,R10: 0000000000000000,R11:,0000000000000246,R12:,0000000000000000,R13: 000000000000000b,R14:,00007f172b3abf80,R15:,00007f172bf10000, "> SecuritySpace - CVE-2024-26733
 
English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

CVE ID:CVE-2024-26733
Description:In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible array in struct sockaddr") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000
Test IDs: None available
Cross References: Common Vulnerability Exposure (CVE) ID: CVE-2024-26733
https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a
https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a
https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50
https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50
https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91
https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91
https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667
https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667
https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587
https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587
https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0
https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0



© 1998-2025 E-Soft Inc. All rights reserved.