CVE-2024-49979

{"id": "CVE-2024-49979", "cveTags": [], "metrics": {}, "published": "2024-10-21T18:15:18.550", "references": [{"url": "https://git.kernel.org/stable/c/17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2d4a83a44428de45bfe9dccb0192a3711d1097e0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3fdd8c83e83fa5e82f1b5585245c51e0355c9f46", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix tcp fraglist segmentation after pull from frag_list\n\nDetect tcp gso fraglist skbs with corrupted geometry (see below) and\npass these to skb_segment instead of skb_segment_list, as the first\ncan segment them correctly.\n\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\n\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify these skbs, breaking these invariants.\n\nIn extreme cases they pull all data into skb linear. For TCP, this\ncauses a NULL ptr deref in __tcpv4_gso_segment_list_csum at\ntcp_hdr(seg->next).\n\nDetect invalid geometry due to pull, by checking head_skb size.\nDon't just drop, as this may blackhole a destination. Convert to be\nable to pass to regular skb_segment.\n\nApproach and description based on a patch by Willem de Bruijn."}], "lastModified": "2024-10-21T18:15:18.550", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}