CVE-2024-26640

tcp: add sanity checks to rx zerocopy

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

tcp: add sanity checks to rx zerocopy

TCP rx zerocopy intent is to map pages initially allocated
from NIC drivers, not pages owned by a fs.

This patch adds to can_map_frag() these additional checks:

- Page must not be a compound one.
- page->mapping must be NULL.

This fixes the panic reported by ZhangPeng.

syzbot was able to loopback packets built with sendfile(),
mapping pages owned by an ext4 file to TCP rx zerocopy.

r3 = socket$inet_tcp(0x2, 0x1, 0x0)
mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)
r4 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)
connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)
r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
0x181e42, 0x0)
fallocate(r5, 0x0, 0x0, 0x85b8)
sendfile(r4, r5, 0x0, 0x8ba0)
getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,
&(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)
r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
0x181e42, 0x0)

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tcp: agregue controles de seguridad a rx zerocopy La intención de TCP rx zerocopy es mapear páginas inicialmente asignadas desde controladores NIC, no páginas propiedad de un fs. Este parche añade a can_map_frag() estas comprobaciones adicionales: - La página no debe ser compuesta. - página->mapeo debe ser NULL. Esto soluciona el pánico informado por ZhangPeng. syzbot pudo realizar un loopback de paquetes creados con sendfile(), asignando páginas propiedad de un archivo ext4 a TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4 , &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00) 000000c0 )='./file0\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000) 001c0)={ &(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f000) 00000c0)='./archivo0 \x00', 0x181e42, 0x0)

A vulnerability was found in Linux Kernel where rx zerocopy feature allowed mapping of pages owned by the filesystem, leading to potential system panic which is caused by the lack of sanity checks to rx zerocopy. A local authenticated attacker could exploit this vulnerability to cause a denial of service.

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-03-18 CVE Published
2024-03-19 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/93ab6cc69162775201587cc9da00d5016dc890e2	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f48bf9a83b1666d934247cb58a9887d7b3127b6f	2024-02-23
https://git.kernel.org/stable/c/718f446e60316bf606946f7f42367d691d21541e	2024-02-23
https://git.kernel.org/stable/c/b383d4ea272fe5795877506dcce5aad1f6330e5e	2024-02-05
https://git.kernel.org/stable/c/d15cc0f66884ef2bed28c7ccbb11c102aa3a0760	2024-02-05
https://git.kernel.org/stable/c/1b8adcc0e2c584fec778add7777fe28e20781e60	2024-02-05
https://git.kernel.org/stable/c/577e4432f3ac810049cb7e6b71f4d96ec7c6e894	2024-01-29

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26640	2024-08-13
https://bugzilla.redhat.com/show_bug.cgi?id=2270100	2024-08-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 5.10.210 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.10.210"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 5.15.149 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.15.149"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 6.1.77 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.1.77"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 6.6.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.6.16"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 6.7.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.7.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.8"		en		Affected