CVE-2024-36927

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.37

Description A vulnerability has been resolved in the Linux kernel, specifically in the ipv4 module. The issue is related to an uninit-value access in the ip make skb() function. This function tests the HDRINCL flag to determine if the socket buffer (skb) has an ICMP header (icmphdr). However, the HDRINCL flag can cause a race condition. If the setsockopt(2) function is called with IP HDRINCL while ip make skb() is running, it can change the HDRINCL flag, leading to the function accessing icmphdr in the skb even if it is not included. This issue was reported by KMSAN. To fix this, the code now checks FLOWI FLAG KNOWN NH on fl4->flowi4 flags instead of testing HDRINCL on the socket. Additionally, fl4->fl4 icmp type and fl4->fl4 icmp code are not initialized and are part of a union in struct flowi4. These are implicitly initialized by flowi4 init output(), but the code should not rely on a specific union layout. Therefore, these variables are now explicitly initialized in raw sendmsg().

Recommendations To resolve this issue, update the Linux kernel to version 6.6.37 or later. This update includes the fix for the uninit-value access in ip make skb() and ensures that fl4->fl4 icmp type and fl4->fl4 icmp code are properly initialized.