CVE-2024-35894

CVE Details

Release Date:

2024-05-19

Description

In the Linux kernel, the following vulnerability has been resolved:\nmptcp: prevent BPF accessing lowat from a subflow socket.\nAlexei reported the following splat:\nWARNING: CPU: 32 PID: 3276 at net/mptcp/subflow.c:1430 subflow_data_ready+0x147/0x1c0\nModules linked in: dummy bpf_testmod(O) [last unloaded: bpf_test_no_cfi(O)]\nCPU: 32 PID: 3276 Comm: test_progs Tainted: GO 6.8.0-12873-g2c43c33bfd23\nCall Trace:\n\nmptcp_set_rcvlowat+0x79/0x1d0\nsk_setsockopt+0x6c0/0x1540\n__bpf_setsockopt+0x6f/0x90\nbpf_sock_ops_setsockopt+0x3c/0x90\nbpf_prog_509ce5db2c7f9981_bpf_test_sockopt_int+0xb4/0x11b\nbpf_prog_dce07e362d941d2b_bpf_test_socket_sockopt+0x12b/0x132\nbpf_prog_348c9b5faaf10092_skops_sockopt+0x954/0xe86\n__cgroup_bpf_run_filter_sock_ops+0xbc/0x250\ntcp_connect+0x879/0x1160\ntcp_v6_connect+0x50c/0x870\nmptcp_connect+0x129/0x280\n__inet_stream_connect+0xce/0x370\ninet_stream_connect+0x36/0x50\nbpf_trampoline_6442491565+0x49/0xef\ninet_stream_connect+0x5/0x50\n__sys_connect+0x63/0x90\n__x64_sys_connect+0x14/0x20\nThe root cause of the issue is that bpf allows accessing mptcp-level\nproto_ops from a tcp subflow scope.\nFix the issue detecting the problematic call and preventing any action.

See more information about CVE-2024-35894 from MITRE CVE dictionary and NIST NVD

CVSS Scoring

NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score:	5.5	CVSS Vector:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector:	Local network	Attack Complexity:	Low
Privileges Required:	Low	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	None	Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 9 (kernel)	ELSA-2024-9315	2024-11-14