CVE-2024-50083

CVE Details

Release Date:

2024-10-29

Description

In the Linux kernel, the following vulnerability has been resolved:\ntcp: fix mptcp DSS corruption due to large pmtu xmit\nSyzkaller was able to trigger a DSS corruption:\nTCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending cookies.\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 5227 at net/mptcp/protocol.c:695 __mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695\nModules linked in:\nCPU: 0 UID: 0 PID: 5227 Comm: syz-executor350 Not tainted 6.11.0-syzkaller-08829-gaf9c191ac2a0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nRIP: 0010:__mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695\nCode: 0f b6 dc 31 ff 89 de e8 b5 dd ea f5 89 d8 48 81 c4 50 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 98 da ea f5 90 <0f> 0b 90 e9 47 ff ff ff e8 8a da ea f5 90 0f 0b 90 e9 99 e0 ff ff\nRSP: 0018:ffffc90000006db8 EFLAGS: 00010246\nRAX: ffffffff8ba9df18 RBX: 00000000000055f0 RCX: ffff888030023c00\nRDX: 0000000000000100 RSI: 00000000000081e5 RDI: 00000000000055f0\nRBP: 1ffff110062bf1ae R08: ffffffff8ba9cf12 R09: 1ffff110062bf1b8\nR10: dffffc0000000000 R11: ffffed10062bf1b9 R12: 0000000000000000\nR13: dffffc0000000000 R14: 00000000700cec61 R15: 00000000000081e5\nFS: 000055556679c380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020287000 CR3: 0000000077892000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nmove_skbs_to_msk net/mptcp/protocol.c:811 [inline]\nmptcp_data_ready+0x29c/0xa90 net/mptcp/protocol.c:854\nsubflow_data_ready+0x34a/0x920 net/mptcp/subflow.c:1490\ntcp_data_queue+0x20fd/0x76c0 net/ipv4/tcp_input.c:5283\ntcp_rcv_established+0xfba/0x2020 net/ipv4/tcp_input.c:6237\ntcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915\ntcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2350\nip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205\nip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233\nNF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314\nNF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314\n__netif_receive_skb_one_core net/core/dev.c:5662 [inline]\n__netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775\nprocess_backlog+0x662/0x15b0 net/core/dev.c:6107\n__napi_poll+0xcb/0x490 net/core/dev.c:6771\nnapi_poll net/core/dev.c:6840 [inline]\nnet_rx_action+0x89b/0x1240 net/core/dev.c:6962\nhandle_softirqs+0x2c5/0x980 kernel/softirq.c:554\ndo_softirq+0x11b/0x1e0 kernel/softirq.c:455\n\n\n__local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382\nlocal_bh_enable include/linux/bottom_half.h:33 [inline]\nrcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]\n__dev_queue_xmit+0x1764/0x3e80 net/core/dev.c:4451\ndev_queue_xmit include/linux/netdevice.h:3094 [inline]\nneigh_hh_output include/net/neighbour.h:526 [inline]\nneigh_output include/net/neighbour.h:540 [inline]\nip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236\nip_local_out net/ipv4/ip_output.c:130 [inline]\n__ip_queue_xmit+0x118c/0x1b80 net/ipv4/ip_output.c:536\n__tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466\ntcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]\ntcp_mtu_probe net/ipv4/tcp_output.c:2547 [inline]\ntcp_write_xmit+0x641d/0x6bf0 net/ipv4/tcp_output.c:2752\n__tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:3015\ntcp_push_pending_frames include/net/tcp.h:2107 [inline]\ntcp_data_snd_check net/ipv4/tcp_input.c:5714 [inline]\ntcp_rcv_established+0x1026/0x2020 net/ipv4/tcp_input.c:6239\ntcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915\nsk_backlog_rcv include/net/sock.h:1113 [inline]\n__release_sock+0x214/0x350 net/core/sock.c:3072\nrelease_sock+0x61/0x1f0 net/core/sock.c:3626\nmptcp_push_\n---truncated---

See more information about CVE-2024-50083 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	5.5
Vector String:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Version:	3.1
Attack Vector:	Local
Attack Complexity:	Low
Privileges Required:	Low
User Interaction:	None
Scope:	Unchanged
Confidentiality:	None
Integrity:	None
Availability:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12887	2024-12-18
Oracle Linux version 9 (kernel-uek)	ELSA-2024-12887	2024-12-18