CVE-2024-26921
- ULN >
- Oracle Linux CVE repository >
- CVE-2024-26921
CVE Details
| Release Date: | 2024-04-18 |
Description
In the Linux kernel, the following vulnerability has been resolved:\ninet: inet_defrag: prevent sk release while still in use\nip_local_out() and other functions can pass skb->sk as function argument.\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\nEric Dumazet made an initial analysis of this bug. Quoting Eric:\nCalling ip_defrag() in output path is also implying skb_orphan(),\nwhich is buggy because output path relies on sk not disappearing.\nA relevant old patch about the issue was :\n8282f27449bf ('inet: frag: Always orphan skbs inside ip_defrag()')\n[..]\nnet/ipv4/ip_output.c depends on skb->sk being set, and probably to an\ninet socket, not an arbitrary one.\nIf we orphan the packet in ipvlan, then downstream things like FQ\npacket scheduler will not work properly.\nWe need to change ip_defrag() to only use skb_orphan() when really\nneeded, ie whenever frag_list is going to be used.\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\noffset into the FRAG_CB, else skb->sk gets clobbered.\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\nIn the former case, things work as before, skb is orphaned. This is\nsafe because skb gets queued/stolen and won't continue past reasm engine.\nIn the latter case, we will steal the skb->sk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.
See more information about CVE-2024-26921 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v3 metrics
| Base Score: | 5.5 |
| Vector String: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Version: | 3.1 |
| Attack Vector: | Local |
| Attack Complexity: | Low |
| Privileges Required: | Low |
| User Interaction: | None |
| Scope: | Unchanged |
| Confidentiality: | None |
| Integrity: | None |
| Availability: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12884 | 2024-12-16 |
| Oracle Linux version 8 (kernel) | ELSA-2024-5101 | 2024-08-08 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12884 | 2024-12-16 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12887 | 2024-12-18 |
| Oracle Linux version 9 (kernel) | ELSA-2024-9315 | 2024-11-14 |
| Oracle Linux version 9 (kernel-uek) | ELSA-2024-12887 | 2024-12-18 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
