CVE-2024-39487

In the Linux kernel, the following vulnerability has been resolved:

bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

In function bond_option_arp_ip_targets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read.

BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc1/0x5e0 mm/kasan/report.c:475 kasan_report+0xbe/0xf0 mm/kasan/report.c:588 strlen+0x7d/0xa0 lib/string.c:418 __fortify_strlen include/linux/fortify-string.h:210 [inline] in4_pton+0xa3/0x3f0 net/core/utils.c:130 bond_option_arp_ip_targets_set+0xc2/0x910 drivers/net/bonding/bond_options.c:1201 __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767 __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792 bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817 bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156 dev_attr_store+0x54/0x80 drivers/base/core.c:2366 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x96a/0xd80 fs/read_write.c:584 ksys_write+0x122/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b —[ end trace ]—

Fix it by adding a check of string length before using it.

Weakness

The product reads data past the end, or before the beginning, of the intended buffer.

Affected Software

Potential Mitigations

• Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
• When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
• Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
• To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/540.html

References

• https://git.kernel.org/stable/c/6a8a4fd082c439e19fede027e80c79bc4c84bb8e
• https://git.kernel.org/stable/c/6b21346b399fd1336fe59233a17eb5ce73041ee1
• https://git.kernel.org/stable/c/707c85ba3527ad6aa25552033576b0f1ff835d7b
• https://git.kernel.org/stable/c/9f835e48bd4c75fdf6a9cff3f0b806a7abde78da
• https://git.kernel.org/stable/c/b75e33eae8667084bd4a63e67657c6a5a0f8d1e8
• https://git.kernel.org/stable/c/bfd14e5915c2669f292a31d028e75dcd82f1e7e9
• https://git.kernel.org/stable/c/c8eb8ab9a44ff0e73492d0a12a643c449f641a9f
• https://git.kernel.org/stable/c/e271ff53807e8f2c628758290f0e499dbe51cb3d
• https://git.kernel.org/stable/c/6a8a4fd082c439e19fede027e80c79bc4c84bb8e
• https://git.kernel.org/stable/c/6b21346b399fd1336fe59233a17eb5ce73041ee1
• https://git.kernel.org/stable/c/707c85ba3527ad6aa25552033576b0f1ff835d7b
• https://git.kernel.org/stable/c/9f835e48bd4c75fdf6a9cff3f0b806a7abde78da
• https://git.kernel.org/stable/c/b75e33eae8667084bd4a63e67657c6a5a0f8d1e8
• https://git.kernel.org/stable/c/bfd14e5915c2669f292a31d028e75dcd82f1e7e9
• https://git.kernel.org/stable/c/c8eb8ab9a44ff0e73492d0a12a643c449f641a9f
• https://git.kernel.org/stable/c/e271ff53807e8f2c628758290f0e499dbe51cb3d