8.7 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality (C): Low (L)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
Out-of-bounds heap write in Zephyr `recvmsg()` ancillary-data path (`insert_pktinfo` undersizes the control-buffer capacity check)
Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full control message consisting of an aligned cmsg header plus the payload. Because the check omitted the cmsg header size, a control buffer whose length falls in the under-checked window (e.g. 16-27 bytes for IPv4 IP_PKTINFO on a 64-bit target, where a single element actually occupies 28 bytes) passes the guard yet causes a fixed-size out-of-bounds write of up to one cmsg header (~12 bytes) past the end of the buffer. Under CONFIG_USERSPACE the recvmsg verifier allocates a kernel-heap copy of the control buffer sized to msg_controllen and runs the implementation against it, so the overflow corrupts kernel heap memory and is triggerable from an unprivileged userspace thread; in supervisor mode it corrupts the caller's buffer. The path is reachable on a UDP/IP socket with IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled when the application calls recvmsg() with an undersized control buffer and a datagram is received; part of the overwritten bytes (the destination IP in ipi_addr) is influenced by the received packet. The fix makes the capacity check use NET_CMSG_SPACE(pktinfo_len) (aligned header + aligned data) and returns -ENOMEM when the buffer is too small. Affected: v3.6.0 through v4.4.0.
References
-
Fix commit patch
Affected products
- <4.5.0
Matching in nixpkgs
pkgs.python312Packages.smoke-zephyr
None
pkgs.python313Packages.smoke-zephyr
Python utility collection
pkgs.python314Packages.smoke-zephyr
Python utility collection
pkgs.python312Packages.zephyr-python-api
None
pkgs.python313Packages.zephyr-python-api
Set of wrappers for Zephyr Scale (TM4J) REST API
pkgs.python314Packages.zephyr-python-api
Set of wrappers for Zephyr Scale (TM4J) REST API
pkgs.python312Packages.zephyr-test-management
None
pkgs.python313Packages.zephyr-test-management
Wrappers for both Zephyr Scale and Zephyr Squad (TM4J) REST APIs
Package maintainers
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@Steinhagen Viorel-Cătălin Răpițeanu <rapiteanu.catalin@gmail.com>