CVE-2024-26953

CVE Details

Release Date:

2024-05-01

Description

In the Linux kernel, the following vulnerability has been resolved:\nnet: esp: fix bad handling of pages from page_pool\nWhen the skb is reorganized during esp_output (!esp->inline), the pages\ncoming from the original skb fragments are supposed to be released back\nto the system through put_page. But if the skb fragment pages are\noriginating from a page_pool, calling put_page on them will trigger a\npage_pool leak which will eventually result in a crash.\nThis leak can be easily observed when using CONFIG_DEBUG_VM and doing\nipsec + gre (non offloaded) forwarding:\nBUG: Bad page state in process ksoftirqd/16 pfn:1451b6\npage:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6\nflags: 0x200000000000000(node=0|zone=2)\npage_type: 0xffffffff()\nraw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000\nraw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000\npage dumped because: page_pool leak\nModules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core]\nCPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n\ndump_stack_lvl+0x36/0x50\nbad_page+0x70/0xf0\nfree_unref_page_prepare+0x27a/0x460\nfree_unref_page+0x38/0x120\nesp_ssg_unref.isra.0+0x15f/0x200\nesp_output_tail+0x66d/0x780\nesp_xmit+0x2c5/0x360\nvalidate_xmit_xfrm+0x313/0x370\n? validate_xmit_skb+0x1d/0x330\nvalidate_xmit_skb_list+0x4c/0x70\nsch_direct_xmit+0x23e/0x350\n__dev_queue_xmit+0x337/0xba0\n? nf_hook_slow+0x3f/0xd0\nip_finish_output2+0x25e/0x580\niptunnel_xmit+0x19b/0x240\nip_tunnel_xmit+0x5fb/0xb60\nipgre_xmit+0x14d/0x280 [ip_gre]\ndev_hard_start_xmit+0xc3/0x1c0\n__dev_queue_xmit+0x208/0xba0\n? nf_hook_slow+0x3f/0xd0\nip_finish_output2+0x1ca/0x580\nip_sublist_rcv_finish+0x32/0x40\nip_sublist_rcv+0x1b2/0x1f0\n? ip_rcv_finish_core.constprop.0+0x460/0x460\nip_list_rcv+0x103/0x130\n__netif_receive_skb_list_core+0x181/0x1e0\nnetif_receive_skb_list_internal+0x1b3/0x2c0\nnapi_gro_receive+0xc8/0x200\ngro_cell_poll+0x52/0x90\n__napi_poll+0x25/0x1a0\nnet_rx_action+0x28e/0x300\n__do_softirq+0xc3/0x276\n? sort_range+0x20/0x20\nrun_ksoftirqd+0x1e/0x30\nsmpboot_thread_fn+0xa6/0x130\nkthread+0xcd/0x100\n? kthread_complete_and_exit+0x20/0x20\nret_from_fork+0x31/0x50\n? kthread_complete_and_exit+0x20/0x20\nret_from_fork_asm+0x11/0x20\n\nThe suggested fix is to introduce a new wrapper (skb_page_unref) that\ncovers page refcounting for page_pool pages as well.

See more information about CVE-2024-26953 from MITRE CVE dictionary and NIST NVD

CVSS Scoring

NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score:	5.5	CVSS Vector:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector:	Local network	Attack Complexity:	Low
Privileges Required:	Low	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	None	Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 9 (kernel)	ELSA-2024-9315	2024-11-14