CVE-2024-26640

CVE Details

Release Date:

2024-03-18

Description

In the Linux kernel, the following vulnerability has been resolved:\ntcp: add sanity checks to rx zerocopy\nTCP rx zerocopy intent is to map pages initially allocated\nfrom NIC drivers, not pages owned by a fs.\nThis patch adds to can_map_frag() these additional checks:\n- Page must not be a compound one.\n- page->mapping must be NULL.\nThis fixes the panic reported by ZhangPeng.\nsyzbot was able to loopback packets built with sendfile(),\nmapping pages owned by an ext4 file to TCP rx zerocopy.\nr3 = socket(0x2, 0x1, 0x0)\nmmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)\nr4 = socket(0x2, 0x1, 0x0)\nbind(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)\nconnect(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)\nr5 = openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',\n0x181e42, 0x0)\nfallocate(r5, 0x0, 0x0, 0x85b8)\nsendfile(r4, r5, 0x0, 0x8ba0)\ngetsockopt(r4, 0x6, 0x23,\n&(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,\n0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)\nr6 = openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',\n0x181e42, 0x0)

See more information about CVE-2024-26640 from MITRE CVE dictionary and NIST NVD

CVSS Scoring

NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score:	5.5	CVSS Vector:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector:	Local network	Attack Complexity:	Low
Privileges Required:	Low	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	None	Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (kernel)	ELSA-2024-5101	2024-08-08
Oracle Linux version 9 (kernel)	ELSA-2024-8617	2024-10-30