CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-53680: ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()

Description

In the Linux kernel, the following vulnerability has been resolved:

ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()

Under certain kernel configurations when building with Clang/LLVM, the
compiler does not generate a return or jump as the terminator
instruction for ip_vs_protocol_init(), triggering the following objtool
warning during build time:

vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6()

At runtime, this either causes an oops when trying to load the ipvs
module or a boot-time panic if ipvs is built-in. This same issue has
been reported by the Intel kernel test robot previously.

Digging deeper into both LLVM and the kernel code reveals this to be a
undefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer
of 64 chars to store the registered protocol names and leaves it
uninitialized after definition. The function calls strnlen() when
concatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE
strnlen() performs an extra step to check whether the last byte of the
input char buffer is a null character (commit 3009f891bb9f ("fortify:
Allow strlen() and strnlen() to pass compile-time known lengths")).
This, together with possibly other configurations, cause the following
IR to be generated:

define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section ".init.text" align 16 !kcfi_type !29 {
%1 = alloca [64 x i8], al...

Classification

CVE ID: CVE-2024-53680

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.38% (scored less or equal to compared to others)

EPSS Date: 2025-02-09 (when was this score calculated)

References

https://git.kernel.org/stable/c/31d1ddc1ce8e8d3f101a679243abb42a313ee88a
https://git.kernel.org/stable/c/0b2cbed82b7c6504a8a0fbd181f92dd56b432c12
https://git.kernel.org/stable/c/d6e1776f51c95827142f1d7064118e255e2deec1
https://git.kernel.org/stable/c/664d0feab92495b6a27edc3d1119e232c0fe8b2b
https://git.kernel.org/stable/c/124834133b32f9386bb2d8581d9ab92f65e951e4
https://git.kernel.org/stable/c/48130002e64fd191b7d18efeb4d253fcc23e4688
https://git.kernel.org/stable/c/146b6f1112eb30a19776d6c323c994e9d67790db

Timeline