CVE-2024-49979

In the Linux kernel, the following vulnerability has been resolved: net: gso: fix tcp fraglist segmentation after pull from frag_list Detect tcp gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants. In extreme cases they pull all data into skb linear. For TCP, this causes a NULL ptr deref in __tcpv4_gso_segment_list_csum at tcp_hdr(seg->next). Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment. Approach and description based on a patch by Willem de Bruijn.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8	Patch
https://git.kernel.org/stable/c/2d4a83a44428de45bfe9dccb0192a3711d1097e0	Patch
https://git.kernel.org/stable/c/3fdd8c83e83fa5e82f1b5585245c51e0355c9f46	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc1::::::

History

29 Oct 2024, 18:02

Type	Values Removed	Values Added
CWE		CWE-476
CPE		cpe:2.3:o:linux:linux_kernel:6.12:rc1:::::: cpe:2.3:o:linux:linux_kernel::::::::
First Time		Linux Linux linux Kernel
References	~~() https://git.kernel.org/stable/c/17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8 -~~	() https://git.kernel.org/stable/c/17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8 - Patch
References	~~() https://git.kernel.org/stable/c/2d4a83a44428de45bfe9dccb0192a3711d1097e0 -~~	() https://git.kernel.org/stable/c/2d4a83a44428de45bfe9dccb0192a3711d1097e0 - Patch
References	~~() https://git.kernel.org/stable/c/3fdd8c83e83fa5e82f1b5585245c51e0355c9f46 -~~	() https://git.kernel.org/stable/c/3fdd8c83e83fa5e82f1b5585245c51e0355c9f46 - Patch
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5

23 Oct 2024, 15:13

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: gso: arregla la segmentación de tcp fraglist después de extraer de frag_list Detecta skbs tcp gso fraglist con geometría corrupta (ver abajo) y pásalos a skb_segment en lugar de a skb_segment_list, ya que el primero puede segmentarlos correctamente. Skbs SKB_GSO_FRAGLIST válidos: consisten en dos o más segmentos: el head_skb contiene los encabezados de protocolo más el primer gso_size: uno o más skbs frag_list contienen exactamente un segmento: todos menos el último deben ser gso_size Los ganchos de ruta de datos opcionales como NAT y BPF (bpf_skb_pull_data) pueden modificar estos skbs, rompiendo estos invariantes. En casos extremos, extraen todos los datos en skb lineal. Para TCP, esto provoca un desreferenciado de ptr NULL en __tcpv4_gso_segment_list_csum en tcp_hdr(seg->next). Detecta geometría no válida debido a la extracción, verificando el tamaño de head_skb. No lo descartes, ya que esto puede convertir un destino en un agujero negro. Convierte para poder pasar a skb_segment normal. Enfoque y descripción basados en un parche de Willem de Bruijn.

21 Oct 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-21 18:15

Updated : 2024-10-29 18:02

NVD link : CVE-2024-49979

Mitre link : CVE-2024-49979

CVE.ORG link : CVE-2024-49979

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

5.5 /10