CVE - CVE-2024-35944

CVE-ID
CVE-2024-35944	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Syzkaller hit 'WARNING in dg_dispatch_as_host' bug. memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg" at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24) WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237 dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237 Some code commentry, based on my understanding: 544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size) /// This is 24 + payload_size memcpy(&dg_info->msg, dg, dg_size); Destination = dg_info->msg ---> this is a 24 byte structure(struct vmci_datagram) Source = dg --> this is a 24 byte structure (struct vmci_datagram) Size = dg_size = 24 + payload_size {payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32. 35 struct delayed_datagram_info { 36 struct datagram_entry entry; 37 struct work_struct work; 38 bool in_dg_host_queue; 39 / msg and msg_payload must be together. */ 40 struct vmci_datagram msg; 41 u8 msg_payload[]; 42 }; So those extra bytes of payload are copied into msg_payload[], a run time warning is seen while fuzzing with Syzkaller. One possible way to fix the warning is to split the memcpy() into two parts -- one -- direct assignment of msg and second taking care of payload. Gustavo quoted: "Under FORTIFY_SOURCE we should not copy data across multiple members in a structure."
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74 URL:https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74 MISC:https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec URL:https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec MISC:https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f URL:https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f MISC:https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100 URL:https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100 MISC:https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73 URL:https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73 MISC:https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051 URL:https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051 MISC:https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b URL:https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b MISC:https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75 URL:https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75 MLIST:[debian-lts-announce] 20240625 [SECURITY] [DLA 3842-1] linux-5.10 security update URL:https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Assigning CNA
kernel.org
Date Record Created
20240517	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240517)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)