CVE-2024-26675

ppp_async: limit MRU to 64K

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

ppp_async: limit MRU to 64K

syzbot triggered a warning [1] in __alloc_pages():

WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)

Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K")

Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)

[1]:

WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
Modules linked in:
CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: events_unbound flush_to_ldisc
pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537
sp : ffff800093967580
x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000
x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0
x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8
x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120
x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005
x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000
x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001
x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020
x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0
Call trace:
__alloc_pages+0x308/0x698 mm/page_alloc.c:4543
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
__kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926
__do_kmalloc_node mm/slub.c:3969 [inline]
__kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001
kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590
__alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651
__netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715
netdev_alloc_skb include/linux/skbuff.h:3235 [inline]
dev_alloc_skb include/linux/skbuff.h:3248 [inline]
ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]
ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341
tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390
tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37
receive_buf drivers/tty/tty_buffer.c:444 [inline]
flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494
process_one_work+0x694/0x1204 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x938/0xef4 kernel/workqueue.c:2787
kthread+0x288/0x310 kernel/kthread.c:388
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ppp_async: limitar MRU a 64K syzbot activó una advertencia [1] en __alloc_pages(): WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp) Willem solucionó un problema similar en el commit c0a2a1b0d631 ("ppp: limite MRU a 64K") Adopte la misma verificación de cordura para ppp_async_ioctl(PPPIOCSMRU) [1]: ADVERTENCIA: CPU: 1 PID: 11 en mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 Módulos vinculados en: CPU: 1 PID: 11 Comm: kworker/u4:0 No contaminado 6.8.0-rc2-syzkaller-g41bccc98fb79 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 17/11/2023 Cola de trabajo: events_unbound flux_to_ldisc pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537 sp: ffff800093967580 x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000 x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000 939675c0 x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8 x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff8000939671 20 x17: ffff800083bded5c x16: ffff80008ac97500 x15: 00000000000000005 x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000 x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9: 0000000000000001 x8: ffff800091c 91000 x7: 0000000000000000 x6: 000000000000003f x5: 00000000ffffffff x4: 0000000000000000 x3: 00000000000000020 x2: 0000000000000008 x1: 0000000000000000 x0: ffff8000939675e0 Rastreo de llamadas: __alloc_pages+0x308/ 0x698 mm/page_alloc.c:4543 __alloc_pages_node include/linux/gfp.h:238 [en línea] alloc_pages_node include/linux/gfp.h:261 [en línea] __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926 __do_kmalloc_node mm/slub .c:3969 [en línea] __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001 kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590 __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651 __netdev_alloc_skb+0x b8 /0x3e8 net/core/skbuff.c:715 netdev_alloc_skb include/linux/skbuff.h:3235 [en línea] dev_alloc_skb include/linux/skbuff.h:3248 [en línea] ppp_async_input drivers/net/ppp/ppp_async.c:863 [ en línea] ppp_asynctty_receive+0x588/0x186c controladores/net/ppp/ppp_async.c:341 tty_ldisc_receive_buf+0x12c/0x15c controladores/tty/tty_buffer.c:390 tty_port_default_receive_buf+0x74/0xac controladores/tty/tty_port.c:37 recibir_buf controladores /tty /tty_buffer.c:444 [en línea] Flush_to_ldisc+0x284/0x6e4 controladores/tty/tty_buffer.c:494 Process_one_work+0x694/0x1204 kernel/workqueue.c:2633 Process_scheduled_works kernel/workqueue.c:2706 [en línea] trabajador_thread+0x938/ 0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-02 CVE Published
2024-04-02 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (13)

URL	Tag	Source
https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed	2024-02-23
https://git.kernel.org/stable/c/56fae81633ccee307cfcb032f706bf1863a56982	2024-02-23
https://git.kernel.org/stable/c/b06e067e93fa4b98acfd3a9f38a398ab91bbc58b	2024-02-23
https://git.kernel.org/stable/c/58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3	2024-02-23
https://git.kernel.org/stable/c/4e2c4846b2507f6dfc9bea72b7567c2693a82a16	2024-02-16
https://git.kernel.org/stable/c/7e5ef49670766c9742ffcd9cead7cdb018268719	2024-02-16
https://git.kernel.org/stable/c/210d938f963dddc543b07e66a79b7d8d4bd00bd8	2024-02-16
https://git.kernel.org/stable/c/cb88cb53badb8aeb3955ad6ce80b07b598e310b8	2024-02-07

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26675	2024-07-08
https://bugzilla.redhat.com/show_bug.cgi?id=2272829	2024-07-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 4.19.307 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 4.19.307"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 5.4.269 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 5.4.269"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 5.10.210 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 5.10.210"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 5.15.149 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 5.15.149"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 6.1.78 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 6.1.78"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 6.6.17 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 6.6.17"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 6.7.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 6.7.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 6.8"		en		Affected