Release Date: | 2024-10-21 |
In the Linux kernel, the following vulnerability has been resolved:\nnet: avoid potential underflow in qdisc_pkt_len_init() with UFO\nAfter commit 7c6d2ecbda83 ('net: be more gentle about silly gso\nrequests coming from user') virtio_net_hdr_to_skb() had sanity check\nto detect malicious attempts from user space to cook a bad GSO packet.\nThen commit cf9acc90c80ec ('net: virtio_net_hdr_to_skb: count\ntransport header in UFO') while fixing one issue, allowed user space\nto cook a GSO packet with the following characteristic :\nIPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.\nWhen this packet arrives in qdisc_pkt_len_init(), we end up\nwith hdr_len = 28 (IPv4 header + UDP header), matching skb->len\nThen the following sets gso_segs to 0 :\ngso_segs = DIV_ROUND_UP(skb->len - hdr_len,\nshinfo->gso_size);\nThen later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/\nqdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;\nThis leads to the following crash in fq_codel [1]\nqdisc_pkt_len_init() is best effort, we only want an estimation\nof the bytes sent on the wire, not crashing the kernel.\nThis patch is fixing this particular issue, a following one\nadds more sanity checks for another potential bug.\n[1]\n[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 70.724561] #PF: supervisor read access in kernel mode\n[ 70.724561] #PF: error_code(0x0000) - not-present page\n[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0\n[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991\n[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel\n[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49\nAll code\n========\n0:24 08 and /u03/ksharma/errata_processing/work/el9/cve_9.ELSA-2024-12887x8,%al\n2:49 c1 e1 06 shl /u03/ksharma/errata_processing/work/el9/cve_9.ELSA-2024-12887x6,%r9\n6:44 89 7c 24 18 mov %r15d,0x18(%rsp)\nb:45 31 ed xor %r13d,%r13d\ne:45 31 c0 xor %r8d,%r8d\n11:31 ff xor %edi,%edi\n13:89 44 24 14 mov %eax,0x14(%rsp)\n17:4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9\n1e:eb 04 jmp 0x24\n20:39 ca cmp %ecx,%edx\n22:73 37 jae 0x5b\n24:4d 8b 39 mov (%r9),%r15\n27:83 c7 01 add /u03/ksharma/errata_processing/work/el9/cve_9.ELSA-2024-12887x1,%edi\n2a:*49 8b 17 mov (%r15),%rdx<-- trapping instruction\n2d:49 89 11 mov %rdx,(%r9)\n30:41 8b 57 28 mov 0x28(%r15),%edx\n34:45 8b 5f 34 mov 0x34(%r15),%r11d\n38:49 c7 07 00 00 00 00 movq /u03/ksharma/errata_processing/work/el9/cve_9.ELSA-2024-12887x0,(%r15)\n3f:49 rex.WB\nCode starting with the faulting instruction\n===========================================\n0:49 8b 17 mov (%r15),%rdx\n3:49 89 11 mov %rdx,(%r9)\n6:41 8b 57 28 mov 0x28(%r15),%edx\na:45 8b 5f 34 mov 0x34(%r15),%r11d\ne:49 c7 07 00 00 00 00 movq /u03/ksharma/errata_processing/work/el9/cve_9.ELSA-2024-12887x0,(%r15)\n15:49 rex.WB\n[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202\n[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000\n[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001\n[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000\n[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58\n[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000\n[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000\n[ 70.724561] CS: 0010 DS: 0000 ES: 0000 C\n---truncated---
See more information about CVE-2024-49949 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
Base Score: | 5.5 |
Vector String: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Version: | 3.1 |
Attack Vector: | Local |
Attack Complexity: | Low |
Privileges Required: | Low |
User Interaction: | None |
Scope: | Unchanged |
Confidentiality: | None |
Integrity: | None |
Availability: | High |
Platform | Errata | Release Date |
Oracle Linux version 7 (kernel-uek) | ELSA-2024-12884 | 2024-12-16 |
Oracle Linux version 8 (kernel) | ELSA-2024-10943 | 2024-12-11 |
Oracle Linux version 8 (kernel-uek) | ELSA-2024-12884 | 2024-12-16 |
Oracle Linux version 8 (kernel-uek) | ELSA-2024-12887 | 2024-12-18 |
Oracle Linux version 9 (kernel) | ELSA-2024-10939 | 2024-12-11 |
Oracle Linux version 9 (kernel-uek) | ELSA-2024-12887 | 2024-12-18 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections: